Squashfs: handle corruption of directory structure

Handle the rare case where a directory metadata block is uncompressed and corrupted, leading to a kernel oops in directory scanning (memcpy). Normally corruption is detected at the decompression stage and dealt with then, however, this will not happen if: - metadata isn't compressed (users can optionally request no metadata compression), or - the compressed metadata block was larger than the original, in which case the uncompressed version was used, or - the data was corrupt after decompression This patch fixes this by adding some sanity checks against known maximum values. Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
author: Phillip Lougher <phillip@lougher.demon.co.uk> 2011-03-15 18:09:55 -0400
committer: Phillip Lougher <phillip@lougher.demon.co.uk> 2011-03-15 21:04:18 -0400
commit: 44cff8a9ee8a974f9e931df910688e7fc1f0b0f9 (patch)
tree: 4bb7011f0f5be9047d601c889a8bf02da096cefd
parent: 003a3194d36dc22c29cacda4d0c6fede2753c9d0 (diff)
2 files changed, 21 insertions, 0 deletions
diff --git a/fs/squashfs/dir.c b/fs/squashfs/dir.c
index 0dc340aa2be9..3f79cd1d0c19 100644
--- a/fs/squashfs/dir.c
+++ b/fs/squashfs/dir.c
@@ -172,6 +172,11 @@ static int squashfs_readdir(struct file *file, void *dirent, filldir_t filldir)
                length += sizeof(dirh);
                dir_count = le32_to_cpu(dirh.count) + 1;
+                /* dir_count should never be larger than 256 */
+                if (dir_count > 256)
+                        goto failed_read;
                while (dir_count--) {
                        /*
                         * Read directory entry.
@@ -183,6 +188,10 @@ static int squashfs_readdir(struct file *file, void *dirent, filldir_t filldir)
                        size = le16_to_cpu(dire->size) + 1;
+                        /* size should never be larger than SQUASHFS_NAME_LEN */
+                        if (size > SQUASHFS_NAME_LEN)
+                                goto failed_read;
                        err = squashfs_read_metadata(inode->i_sb, dire->name,
                                        &block, &offset, size);
                        if (err < 0)
diff --git a/fs/squashfs/namei.c b/fs/squashfs/namei.c
index 7a9464d08cf6..5d922a6701ab 100644
--- a/fs/squashfs/namei.c
+++ b/fs/squashfs/namei.c
@@ -176,6 +176,11 @@ static struct dentry *squashfs_lookup(struct inode *dir, struct dentry *dentry,
                length += sizeof(dirh);
                dir_count = le32_to_cpu(dirh.count) + 1;
+                /* dir_count should never be larger than 256 */
+                if (dir_count > 256)
+                        goto data_error;
                while (dir_count--) {
                        /*
                         * Read directory entry.
@@ -187,6 +192,10 @@ static struct dentry *squashfs_lookup(struct inode *dir, struct dentry *dentry,
                        size = le16_to_cpu(dire->size) + 1;
+                        /* size should never be larger than SQUASHFS_NAME_LEN */
+                        if (size > SQUASHFS_NAME_LEN)
+                                goto data_error;
                        err = squashfs_read_metadata(dir->i_sb, dire->name,
                                        &block, &offset, size);
                        if (err < 0)
@@ -228,6 +237,9 @@ exit_lookup:
        d_add(dentry, inode);
        return ERR_PTR(0);
+data_error:
+        err = -EIO;
 read_failure:
        ERROR("Unable to read directory block [%llx:%x]\n",
                squashfs_i(dir)->start + msblk->directory_table,
author	Phillip Lougher <phillip@lougher.demon.co.uk>	2011-03-15 18:09:55 -0400
committer	Phillip Lougher <phillip@lougher.demon.co.uk>	2011-03-15 21:04:18 -0400
commit	44cff8a9ee8a974f9e931df910688e7fc1f0b0f9 (patch)
tree	4bb7011f0f5be9047d601c889a8bf02da096cefd
parent	003a3194d36dc22c29cacda4d0c6fede2753c9d0 (diff)