Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2018-10-12 12:12:51 +0200
committerTakashi Iwai <tiwai@suse.de>2018-10-12 12:13:06 +0200
commit7d9386bf338c0228bf1b36b43a07f4de14a6db92 (patch)
tree68988b53590a1ecac0b13e027c6a5b56c078fc53
parent3e85709fcaf3054fd0726e47406a51a2a2eaf040 (diff)
squashfs: more metadata hardening (bsc#1051510).
-rw-r--r--patches.fixes/squashfs-more-metadata-hardening.patch41
-rw-r--r--series.conf1
2 files changed, 42 insertions, 0 deletions
diff --git a/patches.fixes/squashfs-more-metadata-hardening.patch b/patches.fixes/squashfs-more-metadata-hardening.patch
new file mode 100644
index 0000000000..ce8d6cc0a1
--- /dev/null
+++ b/patches.fixes/squashfs-more-metadata-hardening.patch
@@ -0,0 +1,41 @@
+From d512584780d3e6a7cacb2f482834849453d444a1 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 30 Jul 2018 14:27:15 -0700
+Subject: [PATCH] squashfs: more metadata hardening
+Git-commit: d512584780d3e6a7cacb2f482834849453d444a1
+Patch-mainline: v4.18-rc8
+References: bsc#1051510
+
+Anatoly reports another squashfs fuzzing issue, where the decompression
+parameters themselves are in a compressed block.
+
+This causes squashfs_read_data() to be called in order to read the
+decompression options before the decompression stream having been set
+up, making squashfs go sideways.
+
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Acked-by: Phillip Lougher <phillip.lougher@gmail.com>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/squashfs/block.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c
+index 2751476e6b6e..f098b9f1c396 100644
+--- a/fs/squashfs/block.c
++++ b/fs/squashfs/block.c
+@@ -167,6 +167,8 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length,
+ }
+
+ if (compressed) {
++ if (!msblk->stream)
++ goto read_failure;
+ length = squashfs_decompress(msblk, bh, b, offset, length,
+ output);
+ if (length < 0)
+--
+2.19.0
+
diff --git a/series.conf b/series.conf
index 074baab154..cc5ac60b53 100644
--- a/series.conf
+++ b/series.conf
@@ -16976,6 +16976,7 @@
patches.arch/perf-x86-amd-ibs-don-t-access-non-started-event
patches.fixes/x86-entry-64-remove-ebx-handling-from-error_entry-exit.patch
patches.arch/x86-boot-fix-if_changed-build-flip-flop-bug
+ patches.fixes/squashfs-more-metadata-hardening.patch
patches.suse/net-fix-amd-xgbe-flow-control-issue.patch
patches.suse/net-ena-Fix-use-of-uninitialized-DMA-address-bits-fi.patch
patches.fixes/0001-net-lan78xx-fix-rx-handling-before-first-packet-is-s.patch