Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp548296pxj; Tue, 18 May 2021 09:02:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx2m/WtMkDkjBGsdn8yWeg9Z+DjKKoH0suKQT5qPs9r2RlFaARkUrLhHMRm7QFWuYcal+dG X-Received: by 2002:a17:907:6288:: with SMTP id nd8mr6921575ejc.223.1621353766284; Tue, 18 May 2021 09:02:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621353766; cv=none; d=google.com; s=arc-20160816; b=lIK2CqVdhMfGyGACKh6XrGpJduK0qpES86tnwkBUAzNwfhungEwBvzRRkHP+yso7g6 JgX1u53/8/smLAS4HcrX/IaEiHrwH3tR5NHCFaCQ5NpM8LNlYXB1KNohjRXcHGk/RGFC lloGr1uzwTAnEfKOHSr/Qktcjl1EGyzIdPBAVq/vO1S7QTOY4+lr87mkahb/4q0bMPYE IBvgHjqn8EvvXiz53FKezjYttUzpTymUyfAYIY7J+W/yfRMPoldcxpZw3Wc7TeUy1SYg QMSmUF0ELP6yfdkwPbpoe2mTcmUEQ0+WfxK/Qd/lIRmiOkq+6NTwpVNBvlBwGQ8oTiPB 8KSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1+bweaprJNKvoynjVuHF+iLaj1pbRbQLNstI1QRKDk4=; b=VIVn9Ya2+yAxeGJzK6fFRA/ObhUNwUckwRPjSKl/Nb3YQnWcYkhKbvXrTVg+2SUgj3 macfkY8NKxJfocPAqyBU7w8RGHj7rcH32o0nD15N466b5Umi8g0Cj+dwlplFMrh1w0B6 Ves35ge7MBbYQSfdMp9mOL4DCOsMxAsWGGcjAIleK3gSkUNs38lVOw7rC3GWJFK53Fub l2jYf901XBXIwrAilpgSDtdPbzxk1EY6u89slEdlJgdr/hDAzVo7BBA+bT0pz51JSgWi 0oGXAz4xZn4vLNqcy4M2OrFtRQn+fRTlLIhofRGxOKqfH5s/bNeXNokhgBxrEvyud0N8 0Xpg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=hoJEGPXk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h14si13081826eje.92.2021.05.18.09.02.22; Tue, 18 May 2021 09:02:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=hoJEGPXk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344827AbhEQP74 (ORCPT + 99 others); Mon, 17 May 2021 11:59:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:52062 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343956AbhEQPkE (ORCPT ); Mon, 17 May 2021 11:40:04 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 25E6B61006; Mon, 17 May 2021 14:41:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621262494; bh=YtWrpDksy16CNvy7ZUAIzG9IVLdgDnmTWjRg9TIdu1A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hoJEGPXkLvO9w9FVJO5u73VDovvQEiQ3ml5xtM6ovB4NUWgzp+QifTEFnzbCfRYAd D+A7+5eoSrWYdNtmXEwQ6ExxPOB8k8NuBWALSKzazHdTdJd4tnNP1ynqsIjAGeHb8y 2x73dtqts0svnNVzM4O7UinPmzTLQj6/s9mHa4G8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Phillip Lougher , syzbot+e8f781243ce16ac2f962@syzkaller.appspotmail.com, syzbot+7b98870d4fec9447b951@syzkaller.appspotmail.com, Andrew Morton , Linus Torvalds Subject: [PATCH 5.10 200/289] squashfs: fix divide error in calculate_skip() Date: Mon, 17 May 2021 16:02:05 +0200 Message-Id: <20210517140311.848696901@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210517140305.140529752@linuxfoundation.org> References: <20210517140305.140529752@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Phillip Lougher commit d6e621de1fceb3b098ebf435ef7ea91ec4838a1a upstream. Sysbot has reported a "divide error" which has been identified as being caused by a corrupted file_size value within the file inode. This value has been corrupted to a much larger value than expected. Calculate_skip() is passed i_size_read(inode) >> msblk->block_log. Due to the file_size value corruption this overflows the int argument/variable in that function, leading to the divide error. This patch changes the function to use u64. This will accommodate any unexpectedly large values due to corruption. The value returned from calculate_skip() is clamped to be never more than SQUASHFS_CACHED_BLKS - 1, or 7. So file_size corruption does not lead to an unexpectedly large return result here. Link: https://lkml.kernel.org/r/20210507152618.9447-1-phillip@squashfs.org.uk Signed-off-by: Phillip Lougher Reported-by: Reported-by: Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/squashfs/file.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/fs/squashfs/file.c +++ b/fs/squashfs/file.c @@ -211,11 +211,11 @@ failure: * If the skip factor is limited in this way then the file will use multiple * slots. */ -static inline int calculate_skip(int blocks) +static inline int calculate_skip(u64 blocks) { - int skip = blocks / ((SQUASHFS_META_ENTRIES + 1) + u64 skip = blocks / ((SQUASHFS_META_ENTRIES + 1) * SQUASHFS_META_INDEXES); - return min(SQUASHFS_CACHED_BLKS - 1, skip + 1); + return min((u64) SQUASHFS_CACHED_BLKS - 1, skip + 1); }