From: Greg Kroah-Hartman Date: Sat, 27 Mar 2021 14:13:20 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v5.11.11~65 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=37adf6e8d7e4feb0e5d5cae71da6a57a693f4cbb;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: squashfs-fix-inode-lookup-sanity-checks.patch squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch --- diff --git a/queue-4.9/series b/queue-4.9/series index a06f8dd7b9e..55bfaf4b71d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -15,3 +15,5 @@ nfs-we-don-t-support-removing-system.nfs4_acl.patch ia64-fix-ia64_syscall_get_set_arguments-for-break-ba.patch ia64-fix-ptrace-ptrace_syscall_info_exit-sign.patch x86-tlb-flush-global-mappings-when-kaiser-is-disable.patch +squashfs-fix-inode-lookup-sanity-checks.patch +squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch diff --git a/queue-4.9/squashfs-fix-inode-lookup-sanity-checks.patch b/queue-4.9/squashfs-fix-inode-lookup-sanity-checks.patch new file mode 100644 index 00000000000..d0281c266a8 --- /dev/null +++ b/queue-4.9/squashfs-fix-inode-lookup-sanity-checks.patch @@ -0,0 +1,61 @@ +From c1b2028315c6b15e8d6725e0d5884b15887d3daa Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Wed, 24 Mar 2021 21:37:32 -0700 +Subject: squashfs: fix inode lookup sanity checks + +From: Sean Nyekjaer + +commit c1b2028315c6b15e8d6725e0d5884b15887d3daa upstream. + +When mouting a squashfs image created without inode compression it fails +with: "unable to read inode lookup table" + +It turns out that the BLOCK_OFFSET is missing when checking the +SQUASHFS_METADATA_SIZE agaist the actual size. + +Link: https://lkml.kernel.org/r/20210226092903.1473545-1-sean@geanix.com +Fixes: eabac19e40c0 ("squashfs: add more sanity checks in inode lookup") +Signed-off-by: Sean Nyekjaer +Acked-by: Phillip Lougher +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/export.c | 8 ++++++-- + fs/squashfs/squashfs_fs.h | 1 + + 2 files changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/squashfs/export.c ++++ b/fs/squashfs/export.c +@@ -165,14 +165,18 @@ __le64 *squashfs_read_inode_lookup_table + start = le64_to_cpu(table[n]); + end = le64_to_cpu(table[n + 1]); + +- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= end ++ || (end - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } + } + + start = le64_to_cpu(table[indexes - 1]); +- if (start >= lookup_table_start || (lookup_table_start - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= lookup_table_start || ++ (lookup_table_start - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } +--- a/fs/squashfs/squashfs_fs.h ++++ b/fs/squashfs/squashfs_fs.h +@@ -30,6 +30,7 @@ + + /* size of metadata (inode and directory) blocks */ + #define SQUASHFS_METADATA_SIZE 8192 ++#define SQUASHFS_BLOCK_OFFSET 2 + + /* default size of block device I/O */ + #ifdef CONFIG_SQUASHFS_4K_DEVBLK_SIZE diff --git a/queue-4.9/squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch b/queue-4.9/squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch new file mode 100644 index 00000000000..ffa75b647d5 --- /dev/null +++ b/queue-4.9/squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch @@ -0,0 +1,67 @@ +From 8b44ca2b634527151af07447a8090a5f3a043321 Mon Sep 17 00:00:00 2001 +From: Phillip Lougher +Date: Wed, 24 Mar 2021 21:37:35 -0700 +Subject: squashfs: fix xattr id and id lookup sanity checks + +From: Phillip Lougher + +commit 8b44ca2b634527151af07447a8090a5f3a043321 upstream. + +The checks for maximum metadata block size is missing +SQUASHFS_BLOCK_OFFSET (the two byte length count). + +Link: https://lkml.kernel.org/r/2069685113.2081245.1614583677427@webmail.123-reg.co.uk +Fixes: f37aa4c7366e23f ("squashfs: add more sanity checks in id lookup") +Signed-off-by: Phillip Lougher +Cc: Sean Nyekjaer +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/id.c | 6 ++++-- + fs/squashfs/xattr_id.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +--- a/fs/squashfs/id.c ++++ b/fs/squashfs/id.c +@@ -110,14 +110,16 @@ __le64 *squashfs_read_id_index_table(str + start = le64_to_cpu(table[n]); + end = le64_to_cpu(table[n + 1]); + +- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= end || (end - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } + } + + start = le64_to_cpu(table[indexes - 1]); +- if (start >= id_table_start || (id_table_start - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= id_table_start || (id_table_start - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } +--- a/fs/squashfs/xattr_id.c ++++ b/fs/squashfs/xattr_id.c +@@ -122,14 +122,16 @@ __le64 *squashfs_read_xattr_id_table(str + start = le64_to_cpu(table[n]); + end = le64_to_cpu(table[n + 1]); + +- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= end || (end - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } + } + + start = le64_to_cpu(table[indexes - 1]); +- if (start >= table_start || (table_start - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= table_start || (table_start - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + }