From nobody Fri Apr 3 03:15:51 2026 Received: from sxb1plsmtpa01-01.prod.sxb1.secureserver.net (sxb1plsmtpa01-01.prod.sxb1.secureserver.net [188.121.53.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B2E8527FB3C for ; Tue, 17 Feb 2026 05:26:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=188.121.53.11 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771306013; cv=none; b=Oul1GkHW0ugerFhkwxmBJOtAbcBDmDc6SB4vi+KlgBfOtYBzkuzYd8O7Ja1P5JUVkbr5gs1UCvEcgAn5bjJ7lcnV3SbXdo+7M/cryvD9xRxPlGodcAkmGserMrsfmTowi9Trc7Z/SfiiATn6Mhl14S5mXfIHHFpy/wfdfU0STEk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771306013; c=relaxed/simple; bh=bDAU3/xD0XAySuhueOD+wzvPrIoyJNEn2QNW8qC6xDE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=WsyjlVJ9wSNArYzwThx+CEht/0dKsnjOs55mBg9nrzuPK+zJmNzJJlNJGOAoi6ArB2M7ElOxlJH/2jrOWzvsQ7Q8YTxYSxgIGc8jOSYVFQ5GypALn/qJ4L/wN3KcQIIpvPqVxKBgRJK3nNpCcWsTsdunuau77xWaIKW5sgmg25Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=squashfs.org.uk; spf=pass smtp.mailfrom=squashfs.org.uk; dkim=pass (2048-bit key) header.d=secureserver.net header.i=@secureserver.net header.b=XrgWC5DQ; dkim=pass (2048-bit key) header.d=squashfs.org.uk header.i=@squashfs.org.uk header.b=h++ronaF; arc=none smtp.client-ip=188.121.53.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=squashfs.org.uk Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=squashfs.org.uk Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secureserver.net header.i=@secureserver.net header.b="XrgWC5DQ"; dkim=pass (2048-bit key) header.d=squashfs.org.uk header.i=@squashfs.org.uk header.b="h++ronaF" Received: from phoenix.fritz.box ([82.69.79.175]) by :SMTPAUTH: with ESMTPA id sDJ5vwRhW7PkgsDJHvh7aw; Mon, 16 Feb 2026 22:07:43 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secureserver.net; s=secureserver1; t=1771304864; bh=1vm5rKtIvMbYPNlxWTLWG4nW2TMovjPNWSwzx504mQs=; h=From:To:Cc:Subject:Date; b=XrgWC5DQWxe3YYZRduSt/zeFOTuwfZj3LgsmhnwzFjr0hrdeVOhmf/6X+mEk/b9GV W2MK+vruvLuqZaM3YmadL6TkhDu+KUD6nxwS4RveKowNwIzsTW5iyB/aeUB6kUVwvj UrlBIMJMOHft/dWt9YVjP6bcnQnLQMV/D5ibRLv2KUdOWuhUVjsLzxI2TasnQJ/Fb/ UbHNwK2RwtWPsDmw5D3SHEMOgiJqWGP1kDuXfGtCF3fPf8/TFgvUElcWo5Eibpu029 wDcM/0H9Bn9M/3y3JL5DkKrRC+Umt+iw29oo4PZCdZGOfhMb9gauzNqbWISBiIEEt3 iFItBHXn8WSdQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=squashfs.org.uk; s=secureserver1; t=1771304864; bh=1vm5rKtIvMbYPNlxWTLWG4nW2TMovjPNWSwzx504mQs=; h=From:To:Cc:Subject:Date; b=h++ronaF2dqyfLkTiQeh1jNro6F2a7RMVJnZ2L2Mx/EkiJta8uX+4ZoQijjfwu1YP XFvJjv8mHUvomEsXYHSGBJ5bXT62p/jf6f36zG9R7kG4QszZS6EH/LA4w36K/h1eoW Q5a7m3TQeuYlZ+xGoJlbBjTwF+DO4AVfD88aPNJV7fAdAXzBk0BhkMH2n29S7S/p6E BB2YvF/UyPGMBjdT3pzdWkDDgg5EmyVeMcV1BtLeRFJ0GRgzt5bWl1bCYcLd+6PDpg sGR2YzYx93oG6ELOsCVQVjtHuWX9QadtnAZCGIFKbwYmwh7GTe84s9eak4mbZC/07l epsT4ZENqVW1A== X-CMAE-Analysis: v=2.4 cv=McfGfZ/f c=1 sm=1 tr=0 ts=6993f7a0 a=84ok6UeoqCVsigPHarzEiQ==:117 a=84ok6UeoqCVsigPHarzEiQ==:17 a=VwQbUJbxAAAA:8 a=1XWaLZrsAAAA:8 a=hSkVLCK3AAAA:8 a=FXvPX3liAAAA:8 a=Q7ZHFunW2GeMkSh-4NgA:9 a=cQPPKAXgyycSBL8etih5:22 a=UObqyxdv-6Yh2QiB9mM_:22 Feedback-ID: 4c0b6324258ad5c0c11bd5fd6c559611:squashfs.org.uk:ssnet X-SECURESERVER-ACCT: phillip@squashfs.org.uk From: Phillip Lougher To: akpm@linux-foundation.org, linux-kernel@vger.kernel.org Cc: Phillip Lougher , syzbot+a9747fe1c35a5b115d3f@syzkaller.appspotmail.com Subject: [PATCH] Squashfs: check metadata block offset is within range Date: Tue, 17 Feb 2026 05:09:55 +0000 Message-ID: <20260217050955.138351-1-phillip@squashfs.org.uk> X-Mailer: git-send-email 2.47.3 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CMAE-Envelope: MS4xfIpFZikA5/6qLr4znbETfZm2sM6SEqLxbhAu8QNrKlq29oRZsCQVYhl62IoRS+v23/p1We6WCA14IeiA1RaAcdLqBvg0M65UVn5V8qCwygzjvZVV2l6m l1XsWh6jAeDl/4FV61OYH98Pr+3HftZ/MeDpBDbk+ESenwtJpeSG1/GlsohCGFjAMcB2SyY7hzUCqPN9CBoGHVjpygNVZwqyHlXspRE7TlOnInWGaY0Mlij3 iuBV1S3BNTb/hxC5Iu7j692ev25tdvsaEHzDQfX3EwzAX0Du0AIDhbWP9rdjEIvTG3bMioglNwT+7Zahkn7+lRcwSIcsYuxcWUunEq2sXTIQSgw5rNHFBgMK DYf+q0s3 Content-Type: text/plain; charset="utf-8" Syzkaller reports a "general protection fault in squashfs_copy_data" This is ultimately caused by a corrupted index look-up table, which produces a negative metadata block offset. This is subsequently passed to squashfs_copy_data (via squashfs_read_metadata) where the negative offset causes an out of bounds access. The fix is to check that the offset is within range in squashfs_read_metadata. This will trap this and other cases. Fixes: f400e12656ab ("Squashfs: cache operations") Reported-by: syzbot+a9747fe1c35a5b115d3f@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/699234e2.a70a0220.2c38d7.00e2.GAE@googl= e.com/ Signed-off-by: Phillip Lougher --- fs/squashfs/cache.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/squashfs/cache.c b/fs/squashfs/cache.c index 181260e72680..92fb857d2c76 100644 --- a/fs/squashfs/cache.c +++ b/fs/squashfs/cache.c @@ -344,6 +344,9 @@ int squashfs_read_metadata(struct super_block *sb, void= *buffer, if (unlikely(length < 0)) return -EIO; =20 + if (unlikely(*offset < 0 || *offset >=3D SQUASHFS_METADATA_SIZE)) + return -EIO; + while (length) { entry =3D squashfs_cache_get(sb, msblk->block_cache, *block, 0); if (entry->error) { --=20 2.47.3