Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp67895pxj;
        Thu, 20 May 2021 04:45:19 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwfG87hEIAavYcJRwa20D6QU0K16YrfA/1lNiLcxse+GEhw9Q/n2PFqxgDeeFoJzID/2efX
X-Received: by 2002:a17:906:d8cb:: with SMTP id re11mr4296395ejb.482.1621511119108;
        Thu, 20 May 2021 04:45:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621511119; cv=none;
        d=google.com; s=arc-20160816;
        b=bINniGFKwfYcTsRMfGQNWlf4eMbO16WZXwknQrCRrM2YIRUxtaPoa3cVvWUljI8VSF
         0IfOIsOdA9YB5Ew/UIRwgcC9kIRtd1aEbkzVyDjiQljpdyTNrOhJo10sXZyf62mlaxS5
         P3C2el+lJkQFzaZ5kqot6lbRQ4C3JLyFG0j53EgM59bXHdlxxB4+/r9TzYD9hI+qY2sR
         hLkG+qerW87CJDmGC9JWqHL3l+aE2HFZujhorcQMbNPPpEjDlO8CXWLn1qp+3O/umfC1
         hrU8VirHnVLbQx4YdO/Nm5PKidkgKSk1SpnRCBao5fbjtOLZH0DXeOK32qfiXWZKr9PE
         Rojg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=5EGyBpxArOHxGfZSsTRjCHw3L63dCs2qbAKptAacKJU=;
        b=T8GryAd8vANJ412sso1dpE8nBHhAMLQHJoPQHwTbQI7TL0mRQWsr//vghown9kZvqs
         CSQRPvErihMo3Rsm9k01Jfp+xMXIaU4isfZGoABwVZyqxuu3yVg/tLcCuQvB3E5RGfrC
         FsMXfT6kZWNRnojkbrineYSBmzq8VD82qBFTAcVy+C0UtwKdAHliK+XBjHAnPWKdxLCd
         074dmc3RvPlR2RCxA46r7DC9Z/BJO2h9BQjoe0Zmy7BGogbsZbMkRSOmdg6OS5TqGa7M
         5TZCr6SizF99Sr1R5q06BEKD8DDqTE34XHnDfzaSFJ8gKSZ/viOX8hgJQw4N1InDyXTY
         qITA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="OociV8P/";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g2si1938988edu.441.2021.05.20.04.44.54;
        Thu, 20 May 2021 04:45:19 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="OociV8P/";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S241957AbhETLm4 (ORCPT <rfc822;loserzhuang@gmail.com>
        + 99 others); Thu, 20 May 2021 07:42:56 -0400
Received: from mail.kernel.org ([198.145.29.99]:41684 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S236564AbhETLWM (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 20 May 2021 07:22:12 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 4933A6105A;
        Thu, 20 May 2021 10:11:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1621505500;
        bh=qgA/fXD4F6Koj9VdCi58OxcitLjK1laDKud+WmMKar8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=OociV8P/4izf7tM6f7GDUe15yuW3NBvCUqsTQK/qI9XeZEnqgyAzsklFxcZ4HRpzh
         HbTQwwJD4GihZ4VBCqxcFSwRWBVCFiUVjGBZQQIiJeGDB3b5SLsKmv0otyGomtWWWZ
         YDlgRQqnrhVvOUtBBoosyL2SlmkmzJJd+lX1Z6iI=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Phillip Lougher <phillip@squashfs.org.uk>,
        syzbot+e8f781243ce16ac2f962@syzkaller.appspotmail.com,
        syzbot+7b98870d4fec9447b951@syzkaller.appspotmail.com,
        Andrew Morton <akpm@linux-foundation.org>,
        Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.4 164/190] squashfs: fix divide error in calculate_skip()
Date:   Thu, 20 May 2021 11:23:48 +0200
Message-Id: <20210520092107.590542533@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210520092102.149300807@linuxfoundation.org>
References: <20210520092102.149300807@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Phillip Lougher <phillip@squashfs.org.uk>

commit d6e621de1fceb3b098ebf435ef7ea91ec4838a1a upstream.

Sysbot has reported a "divide error" which has been identified as being
caused by a corrupted file_size value within the file inode.  This value
has been corrupted to a much larger value than expected.

Calculate_skip() is passed i_size_read(inode) >> msblk->block_log.  Due to
the file_size value corruption this overflows the int argument/variable in
that function, leading to the divide error.

This patch changes the function to use u64.  This will accommodate any
unexpectedly large values due to corruption.

The value returned from calculate_skip() is clamped to be never more than
SQUASHFS_CACHED_BLKS - 1, or 7.  So file_size corruption does not lead to
an unexpectedly large return result here.

Link: https://lkml.kernel.org/r/20210507152618.9447-1-phillip@squashfs.org.uk
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Reported-by: <syzbot+e8f781243ce16ac2f962@syzkaller.appspotmail.com>
Reported-by: <syzbot+7b98870d4fec9447b951@syzkaller.appspotmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/squashfs/file.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/fs/squashfs/file.c
+++ b/fs/squashfs/file.c
@@ -224,11 +224,11 @@ failure:
  * If the skip factor is limited in this way then the file will use multiple
  * slots.
  */
-static inline int calculate_skip(int blocks)
+static inline int calculate_skip(u64 blocks)
 {
-	int skip = blocks / ((SQUASHFS_META_ENTRIES + 1)
+	u64 skip = blocks / ((SQUASHFS_META_ENTRIES + 1)
 		 * SQUASHFS_META_INDEXES);
-	return min(SQUASHFS_CACHED_BLKS - 1, skip + 1);
+	return min((u64) SQUASHFS_CACHED_BLKS - 1, skip + 1);
 }