| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200717195536.16069-1-phillip@squashfs.org.uk>
Date: Fri, 17 Jul 2020 20:55:36 +0100
From: Phillip Lougher <phillip@...ashfs.org.uk>
To: linux-kernel@...r.kernel.org
Cc: akpm@...ux-foundation.org, pliard@...gle.com, hch@....de,
adrien+dev@...ischi.me, groeck@...omium.org, drosen@...gle.com,
Phillip Lougher <phillip@...ashfs.org.uk>,
Bernd Amend <bernd.amend@...il.com>
Subject: [PATCH] squashfs: fix length field overlap check in metadata reading
This is a regression introduced by the "migrate from ll_rw_block usage
to BIO" patch.
Squashfs packs structures on byte boundaries, and due to that
the length field (of the metadata block) may not be fully in
the current block. The new code rewrote and introduced a faulty
check for that edge case.
Reported-by: Bernd Amend <bernd.amend@...il.com>
Signed-off-by: Phillip Lougher <phillip@...ashfs.org.uk>
---
fs/squashfs/block.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c
index 64f61330564a..76bb1c846845 100644
--- a/fs/squashfs/block.c
+++ b/fs/squashfs/block.c
@@ -175,7 +175,7 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length,
/* Extract the length of the metadata block */
data = page_address(bvec->bv_page) + bvec->bv_offset;
length = data[offset];
- if (offset <= bvec->bv_len - 1) {
+ if (offset < bvec->bv_len - 1) {
length |= data[offset + 1] << 8;
} else {
if (WARN_ON_ONCE(!bio_next_segment(bio, &iter_all))) {
--
2.20.1
Powered by blists - more mailing lists