From nobody Tue Nov 26 06:23:11 2024 Received: from sxb1plsmtpa01-05.prod.sxb1.secureserver.net (sxb1plsmtpa01-05.prod.sxb1.secureserver.net [188.121.53.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DA6AF20E31D for ; Sun, 20 Oct 2024 23:42:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=188.121.53.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729467760; cv=none; b=Aa5W8Au6Sb+8fO9DWpW/6FzVtunQqlCI9RJHxnwCMGpRIZiPgo+4+Go8cSpcAsBiogFRXDqsfVuT8dINg692hFpiTWum8IbrNe327+BdzAtepRWSV222SudKkbCbNYpn9cwn84TTqkORy82WukZ7HN2chZlXQNechVYjT4hCe8s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729467760; c=relaxed/simple; bh=QJaCZm8L71fNVsHth8YmRmDIVISDn+gE4ATzTQbpLs4=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=Ekk5ZG+OzyLiTFmCDXtUX16r6gmIPogpWqtDcjwEqQZmsVo3lWXA8yq3emRrq+a31sqMhyp8KKbUkIZj+oGJGllaP4ju1WSCmcdf/LAUXevfoWQ3rXas/ij93RwWO9pDw8y4e5Q+wnoxhNTCb/AiS2P09R1Q3/kHLIQ4hm/OwvE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=squashfs.org.uk; spf=pass smtp.mailfrom=squashfs.org.uk; arc=none smtp.client-ip=188.121.53.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=squashfs.org.uk Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=squashfs.org.uk Received: from phoenix.fritz.box ([82.69.79.175]) by :SMTPAUTH: with ESMTPA id 2fGRteujmhxWc2fGit1UlM; Sun, 20 Oct 2024 16:23:29 -0700 X-CMAE-Analysis: v=2.4 cv=BaET0at2 c=1 sm=1 tr=0 ts=671590f1 a=84ok6UeoqCVsigPHarzEiQ==:117 a=84ok6UeoqCVsigPHarzEiQ==:17 a=FXvPX3liAAAA:8 a=QyXUC8HyAAAA:8 a=VwQbUJbxAAAA:8 a=GeTWYS56exIqEZPe-6AA:9 a=UObqyxdv-6Yh2QiB9mM_:22 X-SECURESERVER-ACCT: phillip@squashfs.org.uk From: Phillip Lougher To: linux-kernel@vger.kernel.org, akpm@linux-foundation.org Cc: Phillip Lougher , "Lai, Yi" Subject: [PATCH] Squashfs: Fix variable overflow in squashfs_readpage_block Date: Mon, 21 Oct 2024 00:22:00 +0100 Message-Id: <20241020232200.837231-1-phillip@squashfs.org.uk> X-Mailer: git-send-email 2.39.2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CMAE-Envelope: MS4xfOiFdZ96ERph1ovwAJYzsy6got+owpfo+raPw0lQI/d1cTSqKntn27SeNJEw64a5pw9yO6jcJLD/kEW3KCoF9PHlh63c5hVzOJh+BnP+lCfR8Wp3JTTQ A2Bk6wJY4kTQY2GMzftYhl7lYjpAnl9FCzh0+clNhGJnEfO8p8Vxj3rcM5FV7kWHtLo7qSvcaZfiww7U3AeHSFHWL6cwR5NpNPJ6M+DNsn3tBOK19ThBSXsu RGHacMNTmAYAJh71Frv8CN++uv2AdO8cg85gL6kbtSRYr0Gus0EtZDJzgqv+SSzjs2m/bxptEEGqZYrie33H7w== Content-Type: text/plain; charset="utf-8" Syzbot reports a slab out of bounds access in squashfs_readpage_block(). This is caused by an attempt to read page index 0x2000000000. This value (start_index) is stored in an integer loop variable which overflows producing a value of 0. This causes a loop which iterates over pages start_index -> end_index to iterate over 0 -> end_index, which ultimately causes an out of bounds page array access. Fix by changing variable to a loff_t, and rename to index to make it clearer it is a page index, and not a loop count. Signed-off-by: Phillip Lougher Reported-by: "Lai, Yi" Closes: https://lore.kernel.org/all/ZwzcnCAosIPqQ9Ie@ly-workstation/ --- fs/squashfs/file_direct.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/fs/squashfs/file_direct.c b/fs/squashfs/file_direct.c index 22251743fadf..d19d4db74af8 100644 --- a/fs/squashfs/file_direct.c +++ b/fs/squashfs/file_direct.c @@ -30,7 +30,8 @@ int squashfs_readpage_block(struct page *target_page, u64= block, int bsize, int mask =3D (1 << (msblk->block_log - PAGE_SHIFT)) - 1; loff_t start_index =3D folio->index & ~mask; loff_t end_index =3D start_index | mask; - int i, n, pages, bytes, res =3D -ENOMEM; + loff_t index; + int i, pages, bytes, res =3D -ENOMEM; struct page **page, *last_page; struct squashfs_page_actor *actor; void *pageaddr; @@ -45,9 +46,9 @@ int squashfs_readpage_block(struct page *target_page, u64= block, int bsize, return res; =20 /* Try to grab all the pages covered by the Squashfs block */ - for (i =3D 0, n =3D start_index; n <=3D end_index; n++) { - page[i] =3D (n =3D=3D folio->index) ? target_page : - grab_cache_page_nowait(target_page->mapping, n); + for (i =3D 0, index =3D start_index; index <=3D end_index; index++) { + page[i] =3D (index =3D=3D folio->index) ? target_page : + grab_cache_page_nowait(target_page->mapping, index); =20 if (page[i] =3D=3D NULL) continue; --=20 2.39.2