lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250927015247.957452-1-ekffu200098@gmail.com>
Date: Sat, 27 Sep 2025 10:52:47 +0900
From: Sang-Heon Jeon <ekffu200098@...il.com>
To: phillip@...ashfs.org.uk
Cc: linux-kernel@...r.kernel.org,
	Sang-Heon Jeon <ekffu200098@...il.com>,
	syzbot+f754e01116421e9754b9@...kaller.appspotmail.com,
	Amir Goldstein <amir73il@...il.com>
Subject: [PATCH] squashfs: add sanity check for invalid inode size

Corrupted squashfs images can have negative inode sizes. Add sanity
check to prevent negative inode size.

Reported-by: syzbot+f754e01116421e9754b9@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f754e01116421e9754b9
Signed-off-by: Sang-Heon Jeon <ekffu200098@...il.com>
Tested-by: syzbot+f754e01116421e9754b9@...kaller.appspotmail.com
Cc: Amir Goldstein <amir73il@...il.com>
---
Special thanks to Amir's kindness analysis [1]. I couldn't find proper
tag for credit, so i just cc-ing. But feel free to add proper credit.

Also, I referred method of erofs. but i might be wrong, please let me
know about that. Thanks for consideration.

[1] https://lore.kernel.org/all/CAOQ4uxgkpi4v3NTSTq5GGJEceHHi97iY4rtsAJuo5c-yxu-Bzg@mail.gmail.com/
---
 fs/squashfs/inode.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c
index ddc65d006063..148cd75f5bd7 100644
--- a/fs/squashfs/inode.c
+++ b/fs/squashfs/inode.c
@@ -426,6 +426,12 @@ int squashfs_read_inode(struct inode *inode, long long ino)
 		return -EINVAL;
 	}
 
+	if (unlikely(inode->i_size < 0)) {
+		ERROR("Negative i_size %lld inode 0x%llx\n",
+			inode->i_size, ino);
+		return -EINVAL;
+	}
+
 	if (xattr_id != SQUASHFS_INVALID_XATTR && msblk->xattr_id_table) {
 		err = squashfs_xattr_lookup(sb, xattr_id,
 					&squashfs_i(inode)->xattr_count,
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ