Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp2258948ybh; Fri, 17 Jul 2020 13:16:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxyDC/VWojKhlpIp+qRVPNsbSQTy73W0iPJF51Pxf25uo0Cvk4b8YixE7ETq7Pnno38fHiD X-Received: by 2002:a17:906:430b:: with SMTP id j11mr10105125ejm.270.1595016959973; Fri, 17 Jul 2020 13:15:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595016959; cv=none; d=google.com; s=arc-20160816; b=wxOKZ3JzKU/wpwcI5zNCV6685gcQhxX7zQeCfuAKM8GDeL1t5FQVmdmia1K2t9atZl bqunKnMKiLymlz4ClT8b7segH+bev+XplqiV9SzDZM8mm2S8x4lcBSFdlcCNVJpGjE4j qZuykz4gLTcc9qi1iCxs3fzEUURxsCrT1PJgT4XnbWHQzyv1ElUuEhoWqatlPTTebOVE qFti1FaUqK0s2/aIQS0u+fm1j4lxax7Yxfky0coAwAcby2F6SSfvsocs9D3zyxIx3Vg5 QRvdoGU4QcX/GyBH7ywlfxdFm5Z5MjSa/zakFbiGwByY6uWaU5QSju8+vqYMhxbhBoce OjZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=mU8+RP7arOH2wf72zhjDUJiDGMqZobGfEUHJ5IuZj5M=; b=JnEyDiRXA+0oIY56neN+jJDgHFlO5jEPeLfwvKWyTLokUsGKAx7ANc2fTojUkvrUli PKrogTT/DjH3bx7QOl6K86NJH2mfxBUc0RRDqZjgLpCGcpw7m+OqFavVgHQZzPUfpLWE 3VyO7qHGLF4Dk9qE6dXFxqoZRtxgSRa5AN0U6a3vnclLDV1foH1yfllIwaARi6yz3rYG E2JdGznp1Q4fc2f6yqE+RQn5gKxi3rQoLnhKKjwh+8QHs+AsGtWQFJKWyp2ckzebE4Gx wlVgVdj8FJkDZuCwkZSKzUKhy1J7XNaotC4v9CLGAxbdeQkwyPE9heJ4J+WZgilmv1aD YKyA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q9si5880337ejx.730.2020.07.17.13.15.36; Fri, 17 Jul 2020 13:15:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728660AbgGQULy (ORCPT + 99 others); Fri, 17 Jul 2020 16:11:54 -0400 Received: from mailex.mailcore.me ([94.136.40.146]:38962 "EHLO mailex.mailcore.me" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726771AbgGQULy (ORCPT ); Fri, 17 Jul 2020 16:11:54 -0400 X-Greylist: delayed 940 seconds by postgrey-1.27 at vger.kernel.org; Fri, 17 Jul 2020 16:11:53 EDT Received: from 82-69-79-175.dsl.in-addr.zen.co.uk ([82.69.79.175] helo=phoenix.fritz.box) by smtp03.mailcore.me with esmtpa (Exim 4.92.3) (envelope-from ) id 1jwWSo-0006Yi-Bg; Fri, 17 Jul 2020 20:56:10 +0100 From: Phillip Lougher To: linux-kernel@vger.kernel.org Cc: akpm@linux-foundation.org, pliard@google.com, hch@lst.de, adrien+dev@schischi.me, groeck@chromium.org, drosen@google.com, Phillip Lougher , Bernd Amend Subject: [PATCH] squashfs: fix length field overlap check in metadata reading Date: Fri, 17 Jul 2020 20:55:36 +0100 Message-Id: <20200717195536.16069-1-phillip@squashfs.org.uk> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Mailcore-Auth: 439913985 X-Mailcore-Domain: 1686784 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is a regression introduced by the "migrate from ll_rw_block usage to BIO" patch. Squashfs packs structures on byte boundaries, and due to that the length field (of the metadata block) may not be fully in the current block. The new code rewrote and introduced a faulty check for that edge case. Reported-by: Bernd Amend Signed-off-by: Phillip Lougher --- fs/squashfs/block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c index 64f61330564a..76bb1c846845 100644 --- a/fs/squashfs/block.c +++ b/fs/squashfs/block.c @@ -175,7 +175,7 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length, /* Extract the length of the metadata block */ data = page_address(bvec->bv_page) + bvec->bv_offset; length = data[offset]; - if (offset <= bvec->bv_len - 1) { + if (offset < bvec->bv_len - 1) { length |= data[offset + 1] << 8; } else { if (WARN_ON_ONCE(!bio_next_segment(bio, &iter_all))) { -- 2.20.1