diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2018-08-02 08:43:35 -0700 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-08-06 16:23:03 +0200 |
| commit | 52cd8f3790cf1e71b6b38b63735042a014a3ff8a (patch) | |
| tree | 2cb74a6e898b42afeb3171ae986ed6abb34179ca /fs/squashfs/squashfs_fs_sb.h | |
| parent | 3abef06039cb43e0fe44f3714969af0b9a744dc5 (diff) | |
squashfs: more metadata hardenings
commit 71755ee5350b63fb1f283de8561cdb61b47f4d1d upstream.
The squashfs fragment reading code doesn't actually verify that the
fragment is inside the fragment table. The end result _is_ verified to
be inside the image when actually reading the fragment data, but before
that is done, we may end up taking a page fault because the fragment
table itself might not even exist.
Another report from Anatoly and his endless squashfs image fuzzing.
Reported-by: Анатолий Тросиненко <anatoly.trosinenko@gmail.com>
Acked-by:: Phillip Lougher <phillip.lougher@gmail.com>,
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/squashfs/squashfs_fs_sb.h')
| -rw-r--r-- | fs/squashfs/squashfs_fs_sb.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/squashfs/squashfs_fs_sb.h b/fs/squashfs/squashfs_fs_sb.h index 1da565cb50c3..ef69c31947bf 100644 --- a/fs/squashfs/squashfs_fs_sb.h +++ b/fs/squashfs/squashfs_fs_sb.h @@ -75,6 +75,7 @@ struct squashfs_sb_info { unsigned short block_log; long long bytes_used; unsigned int inodes; + unsigned int fragments; int xattr_ids; }; #endif |