From nobody Sun Apr 19 09:29:10 2026 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D67B2EA159 for ; Tue, 17 Feb 2026 12:13:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771330401; cv=none; b=dTKm4BsT49ca4csJdlm49O77FraKH6PIy/2OegnpYD7RjR63kf4VH7GIYw2f4saKNySbbrbuIs+Qa1O8p4idMCLOtbdQ3aRYWFawiMybrNKNNW7EVLqI2WkFk1Rj14j/MrzhE6st+UQ0SYrnjxn8GUlAWyTtCISluHmBIIt5SPQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771330401; c=relaxed/simple; bh=GanvlNpvsa+6s6eE/6AhiFGZtm1VZaj324XdqqNlhKc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=IMURzVNwv3mdmSwWTFiTFfdosT5kx88dJpQIjKMxOKRUSjp9psc9VWloNQQ8NU7zLGYOsEtHFMVGMvzdMtThq5QXplH2Aw5miu5cuCnwKxJsm0uSK4j/24YWOOuNGbGliV8jW0GujcmT/g+OUiwnSSLTq0S2Y3Muw3F7zHmu8xU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=cvqzPkcI; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cvqzPkcI" Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-4837907f535so28530095e9.3 for ; Tue, 17 Feb 2026 04:13:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771330399; x=1771935199; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=wLUa6zOXgZlzE4I2+PwyXgVsmE3cgw1QNQMyLGWEmk8=; b=cvqzPkcIHfrRAYl/19hT7TF2oBeZedHvVN7OUKQgnZxpkeye7gqR/4WbyfeGXN5XQC 38BK5fczHmn9bKV9+/LEBmh4Q+MZ1jxipVvDz1GSLjHaiVaDN2rtbl1Ca8Wgk6Reo6Fx 0CUxC3TGtnvL/UTUcqhrV+0P/XscqBKm9VcltEflPH1gqt2Dr9wmiqrNkM8N89KuTwE+ zjjCXsCmhKtyFsymQ/ej68v6+AGZpEjQgHCq4TywIw4m281CIgT52mwGnqwGV1HgHyqO /vOOcEuQWa7EVB0o1afIg8c0gKzgew2WheRDmsTWnh+LiaL+UvE2qqETGo7tRo35hBSd R83w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771330399; x=1771935199; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=wLUa6zOXgZlzE4I2+PwyXgVsmE3cgw1QNQMyLGWEmk8=; b=nlN93g06sZj+A+Ihf+Y/f4PknHq3x6+z9ABS++DYTnDd9tz3BPsHMEVdKdFhlxZ+MK zyeDr+5QwCxt243vrqffT76Ki9NXcoCvIyudhFLYMPkfaXZXFuYFPlV+V8yCEo7SQafi 9xgJlVr7QU2Gjt+PAMs1r4KPhNyQ4vxjRQlOI0oY2nzdpVUwIIJyP/V4xJSsN3zdbywz Z6WiDpe+IeGu4XZUIGOlAcMdNe3JBpP/SJtIjIPO26IQKWQlkIUysFSi4OhKgRSUpqbf 63cgWH7tb4awJ5iCbjCWKketR0a7BjGu+qDWAFGNbx1jFZjJQyoTDfBXdQTYw0LBeBw1 MBiA== X-Gm-Message-State: AOJu0Yxyi9mml8SrTv/1LVZQpKsIoMxohy5O/ymIFpwyP8BQnn33OhbQ nwJ7jVxWv3H/pZ1Ym6MkGaZEYB4MdfBYQDdGnLiUzhEEuJgO+YkxILe6P9YwTg== X-Gm-Gg: AZuq6aJDFAiJeDry32zDzwxDy6tcuTgVnOshxa9ieqLVDrei4AE3LFFJyCO6uZDA5db CyFEiiB/uB5DHCn3NomtrkPEHYR7rIIUR0uJZCT48kL/au15vGfgMdshYNLFR0/FYkUgKjTiVqR 2/rhAPFsD8UUBhA9y9zIqTA1aMzIPrAjdYiG9nJoJanp6yriMmwc4krHbdbiyzEryhE0FBWVuAq cbqXXR9yFxZRlPcBUUeLaT6GyvtWbGZwOxTnKATfI2XPktR9vfYdcE2UVF30E2Ry0PtxyPalAbo Py+OmuUJMBRkItjI9X5gj2TFeD/tCR557mfyxbgH3l0GELrT1Thn45saTXm4/R8ATUE3HJRMMxI rF7c6ERPs9x2x+Y2XFmXFlFed8VaiKHV8sZKm7H4R/irAea0clOevLLjfycVakiYps4yBM20FRR 1FQ1QT8huab5SRO1SSOfc962k= X-Received: by 2002:a05:600c:1912:b0:480:69ae:f0e9 with SMTP id 5b1f17b1804b1-48379ba54aemr191461015e9.16.1771330398794; Tue, 17 Feb 2026 04:13:18 -0800 (PST) Received: from fedora-dev ([2a01:5a8:304:153c:d983:1bac:a686:ee59]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4834d7e50casm498092625e9.8.2026.02.17.04.13.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Feb 2026 04:13:18 -0800 (PST) From: "Nikola Z. Ivanov" To: phillip@squashfs.org.uk, squashfs-devel@lists.sourceforge.net Cc: linux-kernel@vger.kernel.org, "Nikola Z. Ivanov" , syzbot+a9747fe1c35a5b115d3f@syzkaller.appspotmail.com Subject: [PATCH] Squashfs: prevent signed integer conversion overflow in get_dir_index_using_name Date: Tue, 17 Feb 2026 14:13:08 +0200 Message-ID: <20260217121308.2060946-1-zlatistiv@gmail.com> X-Mailer: git-send-email 2.52.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Syzkaller reports a "general protection fault in squashfs_copy_data" This and other cases have already been covered here: https://lore.kernel.org/all/20260217050955.138351-1-phillip@squashfs.org.uk= /T/ However, in this case the culprit for the offset becoming negative is that we interpret a large le32 as a signed int, which comes out to be a negative value: length =3D le32_to_cpu(index->index); This happens in the call to get_dir_index_using_name inside squashfs_lookup. Later in the same function the arithmetic comes out negative, as length is negative: *next_offset =3D (length + *next_offset) % SQUASHFS_METADATA_SIZE; Fix this by declaring length as an unsigned int. Reported-by: syzbot+a9747fe1c35a5b115d3f@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/699234e2.a70a0220.2c38d7.00e2.GAE@googl= e.com/ Signed-off-by: Nikola Z. Ivanov --- fs/squashfs/namei.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/squashfs/namei.c b/fs/squashfs/namei.c index 65aae7e2a859..7f1f6d63d89d 100644 --- a/fs/squashfs/namei.c +++ b/fs/squashfs/namei.c @@ -65,8 +65,8 @@ static int get_dir_index_using_name(struct super_block *s= b, int index_offset, int i_count, const char *name) { struct squashfs_sb_info *msblk =3D sb->s_fs_info; - int i, length =3D 0, err; - unsigned int size; + int i, err; + unsigned int size, length =3D 0; struct squashfs_dir_index *index; =20 TRACE("Entered get_dir_index_using_name, i_count %d\n", i_count); --=20 2.52.0