git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

squashfs: more metadata hardening

BugLink: https://bugs.launchpad.net/bugs/1816756
The squashfs fragment reading code doesn't actually verify that the
fragment is inside the fragment table. The end result _is_ verified to
be inside the image when actually reading the fragment data, but before
that is done, we may end up taking a page fault because the fragment
table itself might not even exist.

Another report from Anatoly and his endless squashfs image fuzzing.

Reported-by: Анатолий Тросиненко <anatoly.trosinenko@gmail.com>
Acked-by:: Phillip Lougher <phillip.lougher@gmail.com>,
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 71755ee5350b63fb1f283de8561cdb61b47f4d1d)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

author	Linus Torvalds <torvalds@linux-foundation.org>
	Tue, 19 Feb 2019 14:23:28 +0000 (15:23 +0100)
committer	Khalid Elmously <khalid.elmously@canonical.com>
	Mon, 4 Mar 2019 02:29:14 +0000 (21:29 -0500)
commit	02bf3b74f4fa04f565d4546cd0d67bfa580f4696
tree	02b2a303d72ceffa3a143f3666d2ee939c8e9946	tree
parent	83f74925adec08691d31d200169d87163cf85ba2	commit \| diff

fs/squashfs/fragment.c		diff \| blob \| blame \| history
fs/squashfs/squashfs_fs_sb.h		diff \| blob \| blame \| history
fs/squashfs/super.c		diff \| blob \| blame \| history