From nobody Fri Apr 3 04:42:42 2026 Received: from sxb1plsmtpa01-09.prod.sxb1.secureserver.net (sxb1plsmtpa01-09.prod.sxb1.secureserver.net [188.121.53.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6E3FE2BE026 for ; Tue, 17 Feb 2026 23:20:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=188.121.53.92 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771370458; cv=none; b=eUPBAgTFghVv5xErMebTIZHOOH+Yohodb8ctkUjn2WymqBZYsixb733OK34fuKsUALWX1Bo+pqB0unrIX4BfeTucRgaG8NMvb/qkqnXugI39nHeso6UR5TFo3Vh42yZyLrQreRGlTM4AgR6FQIwyrKAkpeciuN5pbiWcxxcq3gQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771370458; c=relaxed/simple; bh=eX1Bl7GRZwpb9+LyQ6MsgMIsN18vTuQyxAcCNHeiCyE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Ph7Owwjkeje5i1EyCAKN9vcnvxMN6NDSUkEdDojHBofeTbDRX+VWePJW6bvCEd2V9vDD1yRKtkOS7WBFdYPhm5AQKmkQhvAQBCV6mTOQddSdKJqMwEibM9aTWW4h9P9+tzkHFn1u+U+cBWl+2RcBbuPT2snjdozqQr9wMZTd5+0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=squashfs.org.uk; spf=pass smtp.mailfrom=squashfs.org.uk; dkim=pass (2048-bit key) header.d=secureserver.net header.i=@secureserver.net header.b=JZLwgr9D; dkim=pass (2048-bit key) header.d=squashfs.org.uk header.i=@squashfs.org.uk header.b=Lh8lq0Yv; arc=none smtp.client-ip=188.121.53.92 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=squashfs.org.uk Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=squashfs.org.uk Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secureserver.net header.i=@secureserver.net header.b="JZLwgr9D"; dkim=pass (2048-bit key) header.d=squashfs.org.uk header.i=@squashfs.org.uk header.b="Lh8lq0Yv" Received: from phoenix.fritz.box ([82.69.79.175]) by :SMTPAUTH: with ESMTPA id sUFWvgYs7u3CJsUFkvmt1p; Tue, 17 Feb 2026 16:13:13 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secureserver.net; s=secureserver1; t=1771369994; bh=6lrXyx10mdbE2cLlfzmT6Yq78I9LHu2avktQwO0RiYg=; h=From:To:Cc:Subject:Date; b=JZLwgr9DnB+nvjpS5UUmE/OW3tL46FyP8nNtBOW4FaFNqsaAqimOvljE6lQp8FdrF AQCk9fnCOz45CC9Y6sjm2dob3t9F96k2LWj8uj/H6KADIVG5gZTCSn8aKIXd8yPWHW AfF/c/BNMhOgvuOuGN6WZzmdYrby1sD0KSolE+2C+J1FXQcuYdYvFJDECgAzgBtpin pKQ/i7c1VG7fll3c/UhQuTNe45iCFibZTtS65lsOomNqA77Gv6E1mwcFBWo9P8zbKi y3scmcMRWCrMaL3O+PfxkIdI/In0ja/j4EjKIq6uxA16gFjybFUSzXYIaDvH57GSpv 1Cl9rz1s1HnDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=squashfs.org.uk; s=secureserver1; t=1771369994; bh=6lrXyx10mdbE2cLlfzmT6Yq78I9LHu2avktQwO0RiYg=; h=From:To:Cc:Subject:Date; b=Lh8lq0Yvf+8y8WXUSwsntfQY9BH25mSaFjjNIcIJ5G0ZwmpBVXZTR+8CvrRZeQbMa iQSk4xhCXe/FXNfSXCQND8Q5XLVgKKTcr5UgrW9+y9A5ScXlJ6Gb+0o+8DENGj+0KC 34KvG5b1f512uboqj3z3ql4olQi5FsOKkUOcmpiWPWlUuAPS3rrAJ63Zap+HTXJ1cf p453vX3swy6FxONAGH+tyHCnT2gvBun0V1YCnWpAKSZU5mLKTRl5wG+f23wujdc3kA 8EAXsZvDbfKAOl/flTbpPHr4RjtDESVQos5TpH+FokDvagfDl767g+5WrSzE9hltgJ 5BKdfYwmYL2cQ== X-CMAE-Analysis: v=2.4 cv=CJeAmxrD c=1 sm=1 tr=0 ts=6994f609 a=84ok6UeoqCVsigPHarzEiQ==:117 a=84ok6UeoqCVsigPHarzEiQ==:17 a=VwQbUJbxAAAA:8 a=1XWaLZrsAAAA:8 a=hSkVLCK3AAAA:8 a=FXvPX3liAAAA:8 a=QNMIsyQSQB7fS-wBR3IA:9 a=cQPPKAXgyycSBL8etih5:22 a=UObqyxdv-6Yh2QiB9mM_:22 Feedback-ID: eec2fe2df4a2d9a6e243b2abf64c62a4:squashfs.org.uk:ssnet X-SECURESERVER-ACCT: phillip@squashfs.org.uk From: Phillip Lougher To: akpm@linux-foundation.org, linux-kernel@vger.kernel.org Cc: Phillip Lougher , syzbot+99fc070a2affcd27784b@syzkaller.appspotmail.com Subject: [PATCH] Squashfs: check xz dictionary size isn't zero Date: Tue, 17 Feb 2026 23:15:37 +0000 Message-ID: <20260217231537.206436-1-phillip@squashfs.org.uk> X-Mailer: git-send-email 2.47.3 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CMAE-Envelope: MS4xfBs4nzo9LaDW9BfzDLFRuNCqsjZadAZ0oQxD5xh1LS+jo57ZEm4l6BlZ3bvC2k/GTOu0RLv2pIiLuQsUwgxTMAkBodeb49eQSot+Ec3RKajMJgAcdf1/ MvnBnpgqPIei2wdCR9XirEIEQ0BSCpJJh1N/RTFx+rPNyKLJNuTexWczR75dP+JN8Okheo6fJYBWb+I2AmxILAKDKb6viRF5nTBUrPoU45huKTANw2ExZ3Vh HCNOonPMFd+8HppcUWgY6E/Pcmy0PxP4JzF3uvBsKn8hYbDA3hqh5lrZqrVhJOeb1kBUmZ3N/ZzAonXFYe8MHzdKqq+pTjoJXHB3rY3dts7tSu5+mKUnoN1U uw9K9upA Content-Type: text/plain; charset="utf-8" Syzkaller reports a "UBSAN: shift-out-of-bounds in squashfs_xz_comp_opts" This is caused by a zero dict_size value read from disk, which produces a negative shift. The fix is to check that the dict_size is not zero. Fixes: ff750311d30a ("Squashfs: add compression options support to xz decom= pressor") Reported-by: syzbot+99fc070a2affcd27784b@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6994c60f.a70a0220.2c38d7.0108.GAE@googl= e.com/ Signed-off-by: Phillip Lougher --- fs/squashfs/xz_wrapper.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/squashfs/xz_wrapper.c b/fs/squashfs/xz_wrapper.c index 6c49481a2f8c..71eeec9970ec 100644 --- a/fs/squashfs/xz_wrapper.c +++ b/fs/squashfs/xz_wrapper.c @@ -58,9 +58,9 @@ static void *squashfs_xz_comp_opts(struct squashfs_sb_inf= o *msblk, opts->dict_size =3D le32_to_cpu(comp_opts->dictionary_size); =20 /* the dictionary size should be 2^n or 2^n+2^(n+1) */ - n =3D ffs(opts->dict_size) - 1; - if (opts->dict_size !=3D (1 << n) && opts->dict_size !=3D (1 << n) + - (1 << (n + 1))) { + n =3D ffs(opts->dict_size); + if (n-- =3D=3D 0 || (opts->dict_size !=3D (1 << n) && + opts->dict_size !=3D (1 << n) + (1 << (n + 1)))) { err =3D -EIO; goto out; } --=20 2.47.3