diff options
| author | Phillip Lougher <phillip@squashfs.org.uk> | 2013-09-03 21:58:12 -0400 |
|---|---|---|
| committer | Phillip Lougher <phillip@squashfs.org.uk> | 2013-09-05 23:57:54 -0400 |
| commit | 9e012423869e1efbae3762b87ceab509027231c9 (patch) | |
| tree | dd451cda9f1a82f6ea83c645807bb459c51b4bf8 /fs | |
| parent | f960cae5357d8e52b8af91e8b1621cae565dffb3 (diff) | |
Squashfs: add corruption check for type in squashfs_readdir()
We read the type field from disk. This value should be sanity
checked for correctness to avoid an out of bounds access when
reading the squashfs_filetype_table array.
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/squashfs/dir.c | 7 | ||||
| -rw-r--r-- | fs/squashfs/squashfs_fs.h | 5 |
2 files changed, 9 insertions, 3 deletions
diff --git a/fs/squashfs/dir.c b/fs/squashfs/dir.c index bd7155b198a9..d8c2d747be28 100644 --- a/fs/squashfs/dir.c +++ b/fs/squashfs/dir.c | |||
| @@ -112,8 +112,8 @@ static int squashfs_readdir(struct file *file, struct dir_context *ctx) | |||
| 112 | struct inode *inode = file_inode(file); | 112 | struct inode *inode = file_inode(file); |
| 113 | struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info; | 113 | struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info; |
| 114 | u64 block = squashfs_i(inode)->start + msblk->directory_table; | 114 | u64 block = squashfs_i(inode)->start + msblk->directory_table; |
| 115 | int offset = squashfs_i(inode)->offset, length, type, err; | 115 | int offset = squashfs_i(inode)->offset, length, err; |
| 116 | unsigned int inode_number, dir_count, size; | 116 | unsigned int inode_number, dir_count, size, type; |
| 117 | struct squashfs_dir_header dirh; | 117 | struct squashfs_dir_header dirh; |
| 118 | struct squashfs_dir_entry *dire; | 118 | struct squashfs_dir_entry *dire; |
| 119 | 119 | ||
| @@ -206,6 +206,9 @@ static int squashfs_readdir(struct file *file, struct dir_context *ctx) | |||
| 206 | ((short) le16_to_cpu(dire->inode_number)); | 206 | ((short) le16_to_cpu(dire->inode_number)); |
| 207 | type = le16_to_cpu(dire->type); | 207 | type = le16_to_cpu(dire->type); |
| 208 | 208 | ||
| 209 | if (type > SQUASHFS_MAX_DIR_TYPE) | ||
| 210 | goto failed_read; | ||
| 211 | |||
| 209 | if (!dir_emit(ctx, dire->name, size, | 212 | if (!dir_emit(ctx, dire->name, size, |
| 210 | inode_number, | 213 | inode_number, |
| 211 | squashfs_filetype_table[type])) | 214 | squashfs_filetype_table[type])) |
diff --git a/fs/squashfs/squashfs_fs.h b/fs/squashfs/squashfs_fs.h index 9e2349d07cb1..4b2beda49498 100644 --- a/fs/squashfs/squashfs_fs.h +++ b/fs/squashfs/squashfs_fs.h | |||
| @@ -87,7 +87,7 @@ | |||
| 87 | #define SQUASHFS_COMP_OPTS(flags) SQUASHFS_BIT(flags, \ | 87 | #define SQUASHFS_COMP_OPTS(flags) SQUASHFS_BIT(flags, \ |
| 88 | SQUASHFS_COMP_OPT) | 88 | SQUASHFS_COMP_OPT) |
| 89 | 89 | ||
| 90 | /* Max number of types and file types */ | 90 | /* Inode types including extended types */ |
| 91 | #define SQUASHFS_DIR_TYPE 1 | 91 | #define SQUASHFS_DIR_TYPE 1 |
| 92 | #define SQUASHFS_REG_TYPE 2 | 92 | #define SQUASHFS_REG_TYPE 2 |
| 93 | #define SQUASHFS_SYMLINK_TYPE 3 | 93 | #define SQUASHFS_SYMLINK_TYPE 3 |
| @@ -103,6 +103,9 @@ | |||
| 103 | #define SQUASHFS_LFIFO_TYPE 13 | 103 | #define SQUASHFS_LFIFO_TYPE 13 |
| 104 | #define SQUASHFS_LSOCKET_TYPE 14 | 104 | #define SQUASHFS_LSOCKET_TYPE 14 |
| 105 | 105 | ||
| 106 | /* Max type value stored in directory entry */ | ||
| 107 | #define SQUASHFS_MAX_DIR_TYPE 7 | ||
| 108 | |||
| 106 | /* Xattr types */ | 109 | /* Xattr types */ |
| 107 | #define SQUASHFS_XATTR_USER 0 | 110 | #define SQUASHFS_XATTR_USER 0 |
| 108 | #define SQUASHFS_XATTR_TRUSTED 1 | 111 | #define SQUASHFS_XATTR_TRUSTED 1 |