1. Patchew
  2. linux
  3. View series

[PATCH] squashfs: reject wrapped fragment index offsets

Samuel Moelius posted 1 patch 4 days, 14 hours ago 
fs/squashfs/block.c    | 6 ++++--
fs/squashfs/fragment.c | 3 ++-
2 files changed, 6 insertions(+), 3 deletions(-)
[PATCH] squashfs: reject wrapped fragment index offsets
Posted by Samuel Moelius 4 days, 14 hours ago 
Squashfs fragment lookup computes byte offsets into the fragment index
table from on-disk values.  Crafted metadata can make that arithmetic
wrap before the block is read.

A corrupted image can place the fragment index offset near U64_MAX
and use a non-zero length so that the end offset wraps to a low value.

After the wrap, the filesystem may read the wrong metadata block
instead of rejecting the corrupt image.

Check fragment index offset arithmetic for overflow before issuing
the read.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
 fs/squashfs/block.c    | 6 ++++--
 fs/squashfs/fragment.c | 3 ++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c
index 2d5850168026..570ae6ac3652 100644
--- a/fs/squashfs/block.c
+++ b/fs/squashfs/block.c
@@ -312,7 +312,8 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length,
 		struct bvec_iter_all iter_all = {};
 		struct bio_vec *bvec = bvec_init_iter_all(&iter_all);
 
-		if (index + 2 > msblk->bytes_used) {
+		if (index > msblk->bytes_used ||
+		    msblk->bytes_used - index < 2) {
 			res = -EIO;
 			goto out;
 		}
@@ -349,7 +350,8 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length,
 		      compressed ? "" : "un", length);
 	}
 	if (length <= 0 || length > output->length ||
-			(index + length) > msblk->bytes_used) {
+	    index > msblk->bytes_used ||
+	    (u64)length > msblk->bytes_used - index) {
 		res = -EIO;
 		goto out;
 	}
diff --git a/fs/squashfs/fragment.c b/fs/squashfs/fragment.c
index 49602b9a42e1..b4a4ea83b602 100644
--- a/fs/squashfs/fragment.c
+++ b/fs/squashfs/fragment.c
@@ -71,7 +71,8 @@ __le64 *squashfs_read_fragment_index_table(struct super_block *sb,
 	 * this check also traps instances where fragment_table_start is
 	 * incorrectly larger than the next table start
 	 */
-	if (fragment_table_start + length > next_table)
+	if (fragment_table_start > next_table ||
+	    length > next_table - fragment_table_start)
 		return ERR_PTR(-EINVAL);
 
 	table = squashfs_read_table(sb, fragment_table_start, length);
-- 
2.43.0

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.