diff options
| author | Linus Torvalds | 2018-08-02 08:43:35 -0700 |
|---|---|---|
| committer | Linus Torvalds | 2018-08-02 09:32:23 -0700 |
| commit | 71755ee5350b63fb1f283de8561cdb61b47f4d1d (patch) | |
| tree | cfca6c7e5f8f30014724b955c845a1a2e80d95e5 /fs/squashfs/squashfs_fs_sb.h | |
| parent | 6b4703768268d09ac928c64474fd686adf4574f9 (diff) | |
squashfs: more metadata hardening
The squashfs fragment reading code doesn't actually verify that the
fragment is inside the fragment table. The end result _is_ verified to
be inside the image when actually reading the fragment data, but before
that is done, we may end up taking a page fault because the fragment
table itself might not even exist.
Another report from Anatoly and his endless squashfs image fuzzing.
Reported-by: Анатолий Тросиненко <anatoly.trosinenko@gmail.com>
Acked-by:: Phillip Lougher <phillip.lougher@gmail.com>,
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/squashfs/squashfs_fs_sb.h')
| -rw-r--r-- | fs/squashfs/squashfs_fs_sb.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/squashfs/squashfs_fs_sb.h b/fs/squashfs/squashfs_fs_sb.h index 1da565cb50c3..ef69c31947bf 100644 --- a/fs/squashfs/squashfs_fs_sb.h +++ b/fs/squashfs/squashfs_fs_sb.h @@ -75,6 +75,7 @@ struct squashfs_sb_info { unsigned short block_log; long long bytes_used; unsigned int inodes; + unsigned int fragments; int xattr_ids; }; #endif |