Skip to content

plougher/squashfs-tools

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

The kernel syszbot exploit
[syzbot] [squashfs?] KASAN: slab-out-of-bounds Write in squashfs_readahead
https://lore.kernel.org/all/0000000000009ea81a05f909a529@google.com/

contains a filesystem which causes Mksquashfs to SegV reading the
xattr metadata when appending.  This will also cause Unsquashfs to
SegV when reading the xattr metadata, however, because Unsquashfs
only reads the corrupted xattr metadata when writing the xattrs to
the output filesystem, it discovers and aborts on another filesystem
corruption issue before this happens.

Reading the entire xattr metadata is done first by Mksquashfs when
appending which is why it hits this filesystem corruption first.

The SegV is caused by a corrupted xattrs_id[i].count, which is much
larger than it should be.  This causes the code to run past the end
of the decompressed xattr metadata buffer.

This patch fixes this by checking that the code doesn't run past the
end of the buffer.  In doing so it sanity checks xattrs_id[i].count,
and the values of entry.size and val.vsize when reading the
xattr metadata.

Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
c5a8619

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
April 6, 2023 03:26
March 10, 2022 00:13
March 17, 2023 17:43
March 9, 2022 21:02
March 17, 2023 07:29
NEWS
----

Squashfs-tools 4.6.1 released (25th March 2023)

If you like the recent releases please "star" the
project.  It will be nice to get 512 stars or
more.

Thanks