Squashfs: handle corruption of directory structure
authorPhillip Lougher <phillip@lougher.demon.co.uk>
Tue, 15 Mar 2011 22:09:55 +0000 (22:09 +0000)
committerPhillip Lougher <phillip@lougher.demon.co.uk>
Wed, 16 Mar 2011 01:04:18 +0000 (01:04 +0000)
Handle the rare case where a directory metadata block is uncompressed and
corrupted, leading to a kernel oops in directory scanning (memcpy).
Normally corruption is detected at the decompression stage and dealt with
then, however, this will not happen if:

- metadata isn't compressed (users can optionally request no metadata
  compression), or
- the compressed metadata block was larger than the original, in which
  case the uncompressed version was used, or
- the data was corrupt after decompression

This patch fixes this by adding some sanity checks against known maximum
values.

Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
fs/squashfs/dir.c
fs/squashfs/namei.c

index 0dc340aa2be97d5373e719f74c84d866e00ef465..3f79cd1d0c197b4428356c120fbff7cead1042fe 100644 (file)
@@ -172,6 +172,11 @@ static int squashfs_readdir(struct file *file, void *dirent, filldir_t filldir)
                length += sizeof(dirh);
 
                dir_count = le32_to_cpu(dirh.count) + 1;
+
+               /* dir_count should never be larger than 256 */
+               if (dir_count > 256)
+                       goto failed_read;
+
                while (dir_count--) {
                        /*
                         * Read directory entry.
@@ -183,6 +188,10 @@ static int squashfs_readdir(struct file *file, void *dirent, filldir_t filldir)
 
                        size = le16_to_cpu(dire->size) + 1;
 
+                       /* size should never be larger than SQUASHFS_NAME_LEN */
+                       if (size > SQUASHFS_NAME_LEN)
+                               goto failed_read;
+
                        err = squashfs_read_metadata(inode->i_sb, dire->name,
                                        &block, &offset, size);
                        if (err < 0)
index 7a9464d08cf632bef2395baea734c9eae9d8d6a7..5d922a6701ab730bf27d70451dd5c37c17337c9e 100644 (file)
@@ -176,6 +176,11 @@ static struct dentry *squashfs_lookup(struct inode *dir, struct dentry *dentry,
                length += sizeof(dirh);
 
                dir_count = le32_to_cpu(dirh.count) + 1;
+
+               /* dir_count should never be larger than 256 */
+               if (dir_count > 256)
+                       goto data_error;
+
                while (dir_count--) {
                        /*
                         * Read directory entry.
@@ -187,6 +192,10 @@ static struct dentry *squashfs_lookup(struct inode *dir, struct dentry *dentry,
 
                        size = le16_to_cpu(dire->size) + 1;
 
+                       /* size should never be larger than SQUASHFS_NAME_LEN */
+                       if (size > SQUASHFS_NAME_LEN)
+                               goto data_error;
+
                        err = squashfs_read_metadata(dir->i_sb, dire->name,
                                        &block, &offset, size);
                        if (err < 0)
@@ -228,6 +237,9 @@ exit_lookup:
        d_add(dentry, inode);
        return ERR_PTR(0);
 
+data_error:
+       err = -EIO;
+
 read_failure:
        ERROR("Unable to read directory block [%llx:%x]\n",
                squashfs_i(dir)->start + msblk->directory_table,