On Thu 01-08-24 23:17:40, Lizhi Xu wrote: > syzbot report KMSAN: uninit-value in pick_link, the root cause is that > squashfs_symlink_read_folio did not check the length, resulting in folio > not being initialized and did not return the corresponding error code. > > The incorrect value of length is due to the incorrect value of inode->i_size. > > Reported-and-tested-by: syzbot+24ac24ff58dc5b0d26b9@xxxxxxxxxxxxxxxxxxxxxxxxx > Closes: https://syzkaller.appspot.com/bug?extid=24ac24ff58dc5b0d26b9 > Signed-off-by: Lizhi Xu <lizhi.xu@xxxxxxxxxxxxx> > --- > fs/squashfs/symlink.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/fs/squashfs/symlink.c b/fs/squashfs/symlink.c > index 6ef735bd841a..d5fa5165ddd6 100644 > --- a/fs/squashfs/symlink.c > +++ b/fs/squashfs/symlink.c > @@ -61,6 +61,12 @@ static int squashfs_symlink_read_folio(struct file *file, struct folio *folio) > } > } > > + if (length < 0) { OK, so this would mean that (int)inode->i_size is a negative number. Possible. Perhaps we should rather better validate i_size of symlinks in squashfs_read_inode()? Otherwise it would be a whack-a-mole game of catching places that get confused by bogus i_size... Honza > + ERROR("Unable to read symlink, wrong length [%d]\n", length); > + error = -EINVAL; > + goto out; > + } > + > /* > * Read length bytes from symlink metadata. Squashfs_read_metadata > * is not used here because it can sleep and we want to use > -- > 2.43.0 > -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
