lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20210507152618.9447-1-phillip@squashfs.org.uk>
Date:   Fri,  7 May 2021 16:26:18 +0100
From:   Phillip Lougher <phillip@...ashfs.org.uk>
To:     linux-kernel@...r.kernel.org, akpm@...ux-foundation.org
Subject: [PATCH] squashfs: fix divide error in calculate_skip()

Sysbot has reported a "divide error" which has been
identified as being caused by a corrupted file_size
value within the file inode.  This value has been
corrupted to a much larger value than expected.

Calculate_skip() is passed i_size_read(inode) >> msblk->block_log.
Due to the file_size value corruption this overflows
the int argument/variable in that function, leading
to the divide error.

This patch changes the function to use u64.  This will
accommodate any unexpectedly large values due to
corruption.

The value returned from calculate_skip() is clamped to
be never more than SQUASHFS_CACHED_BLKS - 1, or 7.
So file_size corruption does not lead to an unexpectedly
large return result here.

Signed-off-by: Phillip Lougher <phillip@...ashfs.org.uk>
Reported-by: syzbot+e8f781243ce16ac2f962@...kaller.appspotmail.com
Reported-by: syzbot+7b98870d4fec9447b951@...kaller.appspotmail.com
Cc: <stable@...r.kernel.org>
---
 fs/squashfs/file.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/squashfs/file.c b/fs/squashfs/file.c
index 7b1128398976..89d492916dea 100644
--- a/fs/squashfs/file.c
+++ b/fs/squashfs/file.c
@@ -211,11 +211,11 @@ static long long read_indexes(struct super_block *sb, int n,
  * If the skip factor is limited in this way then the file will use multiple
  * slots.
  */
-static inline int calculate_skip(int blocks)
+static inline int calculate_skip(u64 blocks)
 {
-	int skip = blocks / ((SQUASHFS_META_ENTRIES + 1)
+	u64 skip = blocks / ((SQUASHFS_META_ENTRIES + 1)
 		 * SQUASHFS_META_INDEXES);
-	return min(SQUASHFS_CACHED_BLKS - 1, skip + 1);
+	return min((u64) SQUASHFS_CACHED_BLKS - 1, skip + 1);
 }
 
 
-- 
2.31.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ