[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20210507152618.9447-1-phillip@squashfs.org.uk>
Date: Fri, 7 May 2021 16:26:18 +0100
From: Phillip Lougher <phillip@...ashfs.org.uk>
To: linux-kernel@...r.kernel.org, akpm@...ux-foundation.org
Subject: [PATCH] squashfs: fix divide error in calculate_skip()
Sysbot has reported a "divide error" which has been
identified as being caused by a corrupted file_size
value within the file inode. This value has been
corrupted to a much larger value than expected.
Calculate_skip() is passed i_size_read(inode) >> msblk->block_log.
Due to the file_size value corruption this overflows
the int argument/variable in that function, leading
to the divide error.
This patch changes the function to use u64. This will
accommodate any unexpectedly large values due to
corruption.
The value returned from calculate_skip() is clamped to
be never more than SQUASHFS_CACHED_BLKS - 1, or 7.
So file_size corruption does not lead to an unexpectedly
large return result here.
Signed-off-by: Phillip Lougher <phillip@...ashfs.org.uk>
Reported-by: syzbot+e8f781243ce16ac2f962@...kaller.appspotmail.com
Reported-by: syzbot+7b98870d4fec9447b951@...kaller.appspotmail.com
Cc: <stable@...r.kernel.org>
---
fs/squashfs/file.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/squashfs/file.c b/fs/squashfs/file.c
index 7b1128398976..89d492916dea 100644
--- a/fs/squashfs/file.c
+++ b/fs/squashfs/file.c
@@ -211,11 +211,11 @@ static long long read_indexes(struct super_block *sb, int n,
* If the skip factor is limited in this way then the file will use multiple
* slots.
*/
-static inline int calculate_skip(int blocks)
+static inline int calculate_skip(u64 blocks)
{
- int skip = blocks / ((SQUASHFS_META_ENTRIES + 1)
+ u64 skip = blocks / ((SQUASHFS_META_ENTRIES + 1)
* SQUASHFS_META_INDEXES);
- return min(SQUASHFS_CACHED_BLKS - 1, skip + 1);
+ return min((u64) SQUASHFS_CACHED_BLKS - 1, skip + 1);
}
--
2.31.1
Powered by blists - more mailing lists