From: Greg Kroah-Hartman Date: Mon, 10 Mar 2025 08:00:49 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v5.4.291~68 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fc4bf14fc36a08da5befc245b4fe6cf86b32b099;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: squashfs-check-the-inode-number-is-not-the-invalid-value-of-zero.patch --- diff --git a/queue-5.15/squashfs-check-the-inode-number-is-not-the-invalid-value-of-zero.patch b/queue-5.15/squashfs-check-the-inode-number-is-not-the-invalid-value-of-zero.patch new file mode 100644 index 0000000000..1bd1864095 --- /dev/null +++ b/queue-5.15/squashfs-check-the-inode-number-is-not-the-invalid-value-of-zero.patch @@ -0,0 +1,69 @@ +From 5b99dea79650b50909c50aba24fbae00f203f013 Mon Sep 17 00:00:00 2001 +From: Phillip Lougher +Date: Mon, 8 Apr 2024 23:02:06 +0100 +Subject: Squashfs: check the inode number is not the invalid value of zero + +From: Phillip Lougher + +commit 9253c54e01b6505d348afbc02abaa4d9f8a01395 upstream. + +Syskiller has produced an out of bounds access in fill_meta_index(). + +That out of bounds access is ultimately caused because the inode +has an inode number with the invalid value of zero, which was not checked. + +The reason this causes the out of bounds access is due to following +sequence of events: + +1. Fill_meta_index() is called to allocate (via empty_meta_index()) + and fill a metadata index. It however suffers a data read error + and aborts, invalidating the newly returned empty metadata index. + It does this by setting the inode number of the index to zero, + which means unused (zero is not a valid inode number). + +2. When fill_meta_index() is subsequently called again on another + read operation, locate_meta_index() returns the previous index + because it matches the inode number of 0. Because this index + has been returned it is expected to have been filled, and because + it hasn't been, an out of bounds access is performed. + +This patch adds a sanity check which checks that the inode number +is not zero when the inode is created and returns -EINVAL if it is. + +[phillip@squashfs.org.uk: whitespace fix] + Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk +Link: https://lkml.kernel.org/r/20240408220206.435788-1-phillip@squashfs.org.uk +Signed-off-by: Phillip Lougher +Reported-by: "Ubisectech Sirius" +Closes: https://lore.kernel.org/lkml/87f5c007-b8a5-41ae-8b57-431e924c5915.bugreport@ubisectech.com/ +Cc: Christian Brauner +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Xiangyu Chen +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/inode.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/squashfs/inode.c ++++ b/fs/squashfs/inode.c +@@ -48,6 +48,10 @@ static int squashfs_new_inode(struct sup + gid_t i_gid; + int err; + ++ inode->i_ino = le32_to_cpu(sqsh_ino->inode_number); ++ if (inode->i_ino == 0) ++ return -EINVAL; ++ + err = squashfs_get_id(sb, le16_to_cpu(sqsh_ino->uid), &i_uid); + if (err) + return err; +@@ -58,7 +62,6 @@ static int squashfs_new_inode(struct sup + + i_uid_write(inode, i_uid); + i_gid_write(inode, i_gid); +- inode->i_ino = le32_to_cpu(sqsh_ino->inode_number); + inode->i_mtime.tv_sec = le32_to_cpu(sqsh_ino->mtime); + inode->i_atime.tv_sec = inode->i_mtime.tv_sec; + inode->i_ctime.tv_sec = inode->i_mtime.tv_sec;