Skip to content
Permalink
Browse files

Unsquashfs: Fix potential NULL pointer dereference if decompressor no…

…t supported

Earlier today, I received a report that an analysis driven fuzzer
has detected a potential NULL pointer dereference in Unsquashfs, when
a decompressor is not supported.

The cause scenario is as usual a combination of a couple of issues:

1. If Unsquashfs has been compiled without support for a decompressor,
   the corresponding decompression functions will be NULL.

2. If Unsquashfs executing -stat detects the filesystem has
   compression options, *and* the compression options are
   compressed, the code will attempt to dereference
   the NULL pointer pointing to the decompression function.

3. The code checks whether the filesystem compression is supported
   by Unsquashfs, and exits with an error if not.  But, this check is
   deliberately done after the -stat option, because the -stat option
   should be able to stat a filesystem even if the decompressor is
   not supported, as printing the filesystem data should not need
   support for the decompressor.

Obviously, as the compression options are never compressed, the
above scenario is in practice impossible to achieve, unless the
filesystem is corrupted.

This is easy to fix.  In the -stat function, if the decompressor
is not supported, then skip reading and displaying the
compression options. As the decompressor is not supported, there
is no function to display the options anyway.

Reported-By: Sebastian Neef <contact@0day.work>
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
  • Loading branch information...
plougher committed Jun 7, 2019
1 parent a2a2c3e commit 832a7b9971053d4d741c3230f52e97afd250e956
Showing with 14 additions and 9 deletions.
  1. +14 −9 squashfs-tools/unsquashfs.c
@@ -3,7 +3,7 @@
* filesystem.
*
* Copyright (c) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011,
* 2012, 2013, 2014, 2017
* 2012, 2013, 2014, 2017, 2019
* Phillip Lougher <phillip@squashfs.org.uk>
*
* This program is free software; you can redistribute it and/or
@@ -1669,13 +1669,18 @@ void squashfs_stat(char *source)
char buffer[SQUASHFS_METADATA_SIZE] __attribute__ ((aligned));
int bytes;

bytes = read_block(fd, sizeof(sBlk.s), NULL, 0, buffer);
if(bytes == 0) {
ERROR("Failed to read compressor options\n");
return;
}
if(!comp->supported)
printf("\tCould not display compressor options, because %s compression is not supported\n",
comp->name);
else {
bytes = read_block(fd, sizeof(sBlk.s), NULL, 0, buffer);
if(bytes == 0) {
ERROR("Failed to read compressor options\n");
return;
}

compressor_display_options(comp, buffer, bytes);
compressor_display_options(comp, buffer, bytes);
}
}
}

@@ -2500,8 +2505,8 @@ int parse_number(char *arg, int *res)


#define VERSION() \
printf("unsquashfs version 4.3-git (2017/11/29)\n");\
printf("copyright (C) 2017 Phillip Lougher "\
printf("unsquashfs version 4.3-git (2019/06/07)\n");\
printf("copyright (C) 2019 Phillip Lougher "\
"<phillip@squashfs.org.uk>\n\n");\
printf("This program is free software; you can redistribute it and/or"\
"\n");\

0 comments on commit 832a7b9

Please sign in to comment.
You can’t perform that action at this time.