On Fri 02-08-24 11:01:14, Lizhi Xu wrote: > syzbot report KMSAN: uninit-value in pick_link, the root cause is that > squashfs_symlink_read_folio did not check the length, resulting in folio > not being initialized and did not return the corresponding error code. > > The length is calculated from i_size, so it is necessary to add a check > when i_size is initialized to confirm that its value is correct, otherwise > an error -EINVAL will be returned. Strictly, the check only applies to the > symlink type. > > Reported-and-tested-by: syzbot+24ac24ff58dc5b0d26b9@xxxxxxxxxxxxxxxxxxxxxxxxx > Closes: https://syzkaller.appspot.com/bug?extid=24ac24ff58dc5b0d26b9 > Signed-off-by: Lizhi Xu <lizhi.xu@xxxxxxxxxxxxx> > --- > fs/squashfs/inode.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c > index 16bd693d0b3a..6c5dd225482f 100644 > --- a/fs/squashfs/inode.c > +++ b/fs/squashfs/inode.c > @@ -287,6 +287,11 @@ int squashfs_read_inode(struct inode *inode, long long ino) > inode->i_mode |= S_IFLNK; > squashfs_i(inode)->start = block; > squashfs_i(inode)->offset = offset; > + if ((int)inode->i_size < 0) { Looks good. I think you could actually add even more agressive check like: if (inode->i_size > PAGE_SIZE) { because larger symlink isn't supported by squashfs code anyway. Honza > + ERROR("Wrong i_size %d!\n", inode->i_size); > + return -EINVAL; > + } > + > > if (type == SQUASHFS_LSYMLINK_TYPE) { > __le32 xattr; > -- > 2.43.0 > -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
