Received: by 2002:a05:7412:b101:b0:e2:908c:2ebd with SMTP id az1csp3368277rdb;
        Thu, 16 Nov 2023 07:48:34 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFlj+cJjVcthbKNY93f24oOBlfYRgSaOJ7fns7ePdUm808ZsxIWJgVuE3Ky/mh98w6rPvzA
X-Received: by 2002:a17:90b:4f88:b0:27c:f016:49a2 with SMTP id qe8-20020a17090b4f8800b0027cf01649a2mr13717315pjb.7.1700149713662;
        Thu, 16 Nov 2023 07:48:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1700149713; cv=none;
        d=google.com; s=arc-20160816;
        b=DIbeevLepq5m6dqRPX7YcYlfuCw9vZp/tQM2NHK938fYCCgUcEc3iIwLTSlkOiVUCq
         ZXXrvEGt5GtJEUOq30XM0+kD+AGlgiQKKz1xsLOizBdQ5pyts+qN0gUFPdc5heRr8i9G
         ZdEDqbLTE5yo0bmVN0WOP9jHmb01oxQi8WDxpUsibrjD87s4wIzAcM+SeemK55uRqeWX
         QEZpjxxIOu/BmQPXfY8fRPYE/0IqK7Mj04F558j7AUPKaRWTWkVXMyVA/Uqg0EoLZ2Ny
         m/Gwz2wq3NfBT3xV3sKOgvYrHBKIZmSn5S/tLXtA+lBRinpSHB+9+wa+clJ+z7fnEQiP
         4W8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:importance:content-transfer-encoding
         :mime-version:subject:references:in-reply-to:message-id:cc:to:from
         :date;
        bh=XBM74Djz/iWDiFs0G/4wDaa7RLTernm/uN0rNKSdg8s=;
        fh=QozMor7/8Q8uiuLOe1F30RoIwKEcIRFvKP/NF1c5ZXU=;
        b=NKP6UyJ5BSdaargq/ffCy017kYzbVTNOaXdUqetnmJAgB0I2x/O4dqZRvaoYskeorf
         Dt5GUAh1eWBxltxTQaOD/IJpixl7CzORmX8CTqJAvFD0p9lSRTtXnCwCtoOBSyUDB/jj
         zjEIlm2v9RG3IdS55KdbQlPN7/bx2/DHHapd13msigUy6DQrDBa0PHkLyJcPVKtAQRYb
         yRlgeCZfb8C3pHBL0dR9x81DPd1C6aY/ITWhAuL5M4oCTYrNYSNeopMFN7wSQ0dczU8A
         EG//Q6OKxMgJb7qrlDWRNioJ6LVAE1Q6CMyvXxbGlizhZ0WWrjkgDbvp6+vU91bFfXCc
         RBoA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33])
        by mx.google.com with ESMTPS id t24-20020a17090aba9800b0027d01d450desi2247295pjr.86.2023.11.16.07.48.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Nov 2023 07:48:33 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id 49E058172977;
	Thu, 16 Nov 2023 07:48:31 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1345292AbjKPPsR (ORCPT <rfc822;a225855305@gmail.com>
        + 99 others); Thu, 16 Nov 2023 10:48:17 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59642 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1345297AbjKPPsK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 16 Nov 2023 10:48:10 -0500
Received: from p3plwbeout16-02.prod.phx3.secureserver.net (p3plsmtp16-02-2.prod.phx3.secureserver.net [173.201.193.56])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1CE8219B
        for <linux-kernel@vger.kernel.org>; Thu, 16 Nov 2023 07:48:03 -0800 (PST)
X-MW-NODE: 
X-CMAE-Analysis: v=2.4 cv=SYYyytdu c=1 sm=1 tr=0 ts=655639b2
 a=dFffxkGDbYo3ckkjzRcKYg==:117 a=dFffxkGDbYo3ckkjzRcKYg==:17
 a=TT3OXX8_H1iH7GK2:21 a=ggZhUymU-5wA:10 a=IkcTkHD0fZMA:10 a=t7CeM3EgAAAA:8
 a=FXvPX3liAAAA:8 a=hSkVLCK3AAAA:8 a=hlfSdipmgW7WWFGKQN0A:9 a=QEXdDO2ut3YA:10
 a=EebzJV9D4rpJJoWO5PQE:22 a=FdTzh2GWekK77mhwV6Dw:22 a=UObqyxdv-6Yh2QiB9mM_:22
 a=cQPPKAXgyycSBL8etih5:22 a=b0R6z3OkPTeaBGj_aaBY:22
X-SECURESERVER-ACCT: phillip@squashfs.org.uk
X-SID:  3eb2rPcI9GN7i
Date:   Thu, 16 Nov 2023 15:47:59 +0000 (GMT)
From:   Phillip Lougher <phillip@squashfs.org.uk>
To:     Lizhi Xu <lizhi.xu@windriver.com>,
        syzbot+32d3767580a1ea339a81@syzkaller.appspotmail.com,
        "akpm@linux-foundation.org" <akpm@linux-foundation.org>
Cc:     linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        squashfs-devel@lists.sourceforge.net,
        syzkaller-bugs@googlegroups.com
Message-ID: <261429818.1734406.1700149679974@eu1.myprofessionalmail.com>
In-Reply-To: <20231116031352.40853-1-lizhi.xu@windriver.com>
References: <0000000000000526f2060a30a085@google.com>
 <20231116031352.40853-1-lizhi.xu@windriver.com>
Subject: Re: [PATCH] squashfs: squashfs_read_data need to check if the
 length is 0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v8.18.49
X-Originating-IP: 82.69.79.175
X-Originating-Client: open-xchange-appsuite
X-CMAE-Envelope: MS4xfP5dWoFg+M+ZbHqU6VfYXdfwfo2GWM4bkl/BocaMV3PJM36+tJnayLaj5N+fOY/wfJtaAqSRbDzYoK4RvQBifMSoZXLM5ZW8UGrGj7gJ4TqUNX+EXXji
 Y+x2GdNvPOiSAkVqTy/8r7vRcMjYjJMN5uSagylNF1qNQ38kzHI6WKOkvpCTlJz+j6A1tnd0qtQl7EMmrodQHNEytKXfEkiaYP3S3mGZnE77Tvp+7Kds8ORe
 JvIbZmaKwKUyt5hvGMfnvz17XtHuCFProE9plCbX6enG5Fa1Uk2NJfDJdJwjoOli6FQM19zC0ZQFeJR3/VKL0jCk7L1drGh+tLH0Uadq7+0UFh0GvewPUM+2
 gh5wtf6jf6mAbVpZw/VMmGtCBlFHZWZDp6kqOepZj977Wh1eLhZ52TB1uTboFJP0UIMT15TPmG4RV7E2SV0nzMhKHA+wsaWR5675kyeWfsaOnBXzV/EuEMX8
 gGQAGF8S3HNEg7m6n6EaNYcc6qzDTRajc9JboBEUdLnbA7r3ELq4TmqMoaNq3Ukuuwfsb0lmZvbNdXzM
X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Thu, 16 Nov 2023 07:48:31 -0800 (PST)


> On 16/11/2023 03:13 GMT Lizhi Xu <lizhi.xu@windriver.com> wrote:
> 
>  
> when the length passed in is 0, the subsequent process should be exited.
> 

Reproduced and tested.

Reviewed-by: Phillip Lougher (phillip@squashfs.org.uk)

> Reported-by: syzbot+32d3767580a1ea339a81@syzkaller.appspotmail.com
> Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
> ---
>  fs/squashfs/block.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c
> index 581ce9519339..2dc730800f44 100644
> --- a/fs/squashfs/block.c
> +++ b/fs/squashfs/block.c
> @@ -321,7 +321,7 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length,
>  		TRACE("Block @ 0x%llx, %scompressed size %d\n", index - 2,
>  		      compressed ? "" : "un", length);
>  	}
> -	if (length < 0 || length > output->length ||
> +	if (length <= 0 || length > output->length ||
>  			(index + length) > msblk->bytes_used) {
>  		res = -EIO;
>  		goto out;
> -- 
> 2.25.1