| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f63d8d11-2254-4fc3-9292-9a43a93b374e@I-love.SAKURA.ne.jp>
Date: Wed, 13 Aug 2025 16:17:43 +0900
From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To: Phillip Lougher <phillip@...ashfs.org.uk>,
Andrew Morton <akpm@...ux-foundation.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: [PATCH] squashfs: Verify inode mode when loading from disk
The inode mode loaded from corrupted disk might by error contain the file
type bits. Since the file type bits are set by squashfs_read_inode() using
bitwise OR, the file type bits must not be set by squashfs_new_inode() from
squashfs_read_inode(); otherwise, an invalid file type bits later confuses
may_open().
Reported-by: syzbot <syzbot+895c23f6917da440ed0d@...kaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d
Signed-off-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
---
fs/squashfs/inode.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c
index d5918eba27e3..dee8fa016930 100644
--- a/fs/squashfs/inode.c
+++ b/fs/squashfs/inode.c
@@ -68,6 +68,10 @@ static int squashfs_new_inode(struct super_block *sb, struct inode *inode,
inode->i_mode = le16_to_cpu(sqsh_ino->mode);
inode->i_size = 0;
+ /* File type must not be set at this moment, for it will later be set by the caller. */
+ if (inode->i_mode & S_IFMT)
+ err = -EIO;
+
return err;
}
--
2.50.1
Powered by blists - more mailing lists