fs/squashfs/block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
when the length passed in is 0, the subsequent process should be exited.
Reported-by: syzbot+32d3767580a1ea339a81@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
fs/squashfs/block.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c
index 581ce9519339..2dc730800f44 100644
--- a/fs/squashfs/block.c
+++ b/fs/squashfs/block.c
@@ -321,7 +321,7 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length,
TRACE("Block @ 0x%llx, %scompressed size %d\n", index - 2,
compressed ? "" : "un", length);
}
- if (length < 0 || length > output->length ||
+ if (length <= 0 || length > output->length ||
(index + length) > msblk->bytes_used) {
res = -EIO;
goto out;
--
2.25.1On Thu, 16 Nov 2023 11:13:52 +0800 Lizhi Xu <lizhi.xu@windriver.com> wrote: > when the length passed in is 0, the subsequent process should be exited. Thanks, but when fixing a bug, please always describe the runtime effects of that bug. Amongst other things, other people need this information to be able to decide which kernel versions need patching. > Reported-by: syzbot+32d3767580a1ea339a81@syzkaller.appspotmail.com Which is a reason why we're now adding the "Closes:" tag after Reported-by:. I googled the sysbot email address and so added Closes: https://lkml.kernel.org/r/0000000000000526f2060a30a085@google.com to the changelog. I'll assume that a -stable kernel backport is needed.
On 16/11/2023 21:43, Andrew Morton wrote: > On Thu, 16 Nov 2023 11:13:52 +0800 Lizhi Xu <lizhi.xu@windriver.com> wrote: > >> when the length passed in is 0, the subsequent process should be exited. > > Thanks, but when fixing a bug, please always describe the runtime > effects of that bug. Amongst other things, other people need this > information to be able to decide which kernel versions need patching. > >> Reported-by: syzbot+32d3767580a1ea339a81@syzkaller.appspotmail.com > > Which is a reason why we're now adding the "Closes:" tag after > Reported-by:. Which is also one reason why you should always run scripts/checkpatch.pl on your patch. This alerted me to the need for a "Closes:" tag after Reported-by: on the last patch I sent. > > I googled the sysbot email address and so added > > Closes: https://lkml.kernel.org/r/0000000000000526f2060a30a085@google.com > > to the changelog. Thanks. That is indeed the sysbot issue that the patch fixes. > > I'll assume that a -stable kernel backport is needed. > > Yes. Phillip
> On 16/11/2023 03:13 GMT Lizhi Xu <lizhi.xu@windriver.com> wrote:
>
>
> when the length passed in is 0, the subsequent process should be exited.
>
Reproduced and tested.
Reviewed-by: Phillip Lougher (phillip@squashfs.org.uk)
> Reported-by: syzbot+32d3767580a1ea339a81@syzkaller.appspotmail.com
> Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
> ---
> fs/squashfs/block.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c
> index 581ce9519339..2dc730800f44 100644
> --- a/fs/squashfs/block.c
> +++ b/fs/squashfs/block.c
> @@ -321,7 +321,7 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length,
> TRACE("Block @ 0x%llx, %scompressed size %d\n", index - 2,
> compressed ? "" : "un", length);
> }
> - if (length < 0 || length > output->length ||
> + if (length <= 0 || length > output->length ||
> (index + length) > msblk->bytes_used) {
> res = -EIO;
> goto out;
> --
> 2.25.1
© 2016 - 2026 Red Hat, Inc.