581c294184
commit 71755ee5350b63fb1f283de8561cdb61b47f4d1d upstream. The squashfs fragment reading code doesn't actually verify that the fragment is inside the fragment table. The end result _is_ verified to be inside the image when actually reading the fragment data, but before that is done, we may end up taking a page fault because the fragment table itself might not even exist. Another report from Anatoly and his endless squashfs image fuzzing. Reported-by: Анатолий Тросиненко <anatoly.trosinenko@gmail.com> Acked-by:: Phillip Lougher <phillip.lougher@gmail.com>, Cc: Willy Tarreau <w@1wt.eu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|---|---|---|
| .. | ||
| block.c | ||
| cache.c | ||
| decompressor_multi_percpu.c | ||
| decompressor_multi.c | ||
| decompressor_single.c | ||
| decompressor.c | ||
| decompressor.h | ||
| dir.c | ||
| export.c | ||
| file_cache.c | ||
| file_direct.c | ||
| file.c | ||
| fragment.c | ||
| id.c | ||
| inode.c | ||
| Kconfig | ||
| lz4_wrapper.c | ||
| lzo_wrapper.c | ||
| Makefile | ||
| namei.c | ||
| page_actor.c | ||
| page_actor.h | ||
| squashfs_fs_i.h | ||
| squashfs_fs_sb.h | ||
| squashfs_fs.h | ||
| squashfs.h | ||
| super.c | ||
| symlink.c | ||
| xattr_id.c | ||
| xattr.c | ||
| xattr.h | ||
| xz_wrapper.c | ||
| zlib_wrapper.c | ||