Squashfs: sanity check symbolic link size
[ Upstream commit 810ee43d9cd245d138a2733d87a24858a23f577d ]
Syzkiller reports a "KMSAN: uninit-value in pick_link" bug.
This is caused by an uninitialised page, which is ultimately caused
by a corrupted symbolic link size read from disk.
The reason why the corrupted symlink size causes an uninitialised
page is due to the following sequence of events:
1. squashfs_read_inode() is called to read the symbolic
link from disk. This assigns the corrupted value
3875536935 to inode->i_size.
2. Later squashfs_symlink_read_folio() is called, which assigns
this corrupted value to the length variable, which being a
signed int, overflows producing a negative number.
3. The following loop that fills in the page contents checks that
the copied bytes is less than length, which being negative means
the loop is skipped, producing an uninitialised page.
This patch adds a sanity check which checks that the symbolic
link size is not larger than expected.
--
BUG=b/370702211
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2024-46744 in the Linux kernel.
cos-patch: security-high
Change-Id: I9f5cd2e16fdec56f531284226bf352e274b3cd7d
Signed-off-by: Phillip Lougher <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Reported-by: Lizhi Xu <[email protected]>
Reported-by: [email protected]
Closes: https://lore.kernel.org/all/[email protected]/
V2: fix spelling mistake.
Signed-off-by: Christian Brauner <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Kernel CVE Triage Automation <[email protected]>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/82543
Reviewed-by: Arnav Kansal <[email protected]>
Reviewed-by: Oleksandr Tymoshenko <[email protected]>
Tested-by: Cusky Presubmit Bot <[email protected]>
1 file changed
