On Fri, Aug 02, 2024 at 07:16:40PM +0800, Lizhi Xu wrote: > syzbot report KMSAN: uninit-value in pick_link, the root cause is that > squashfs_symlink_read_folio did not check the length, resulting in folio > not being initialized and did not return the corresponding error code. > > The length is calculated from i_size, so it is necessary to add a check > when i_size is initialized to confirm that its value is correct, otherwise > an error -EINVAL will be returned. Strictly, the check only applies to the > symlink type. Add larger symlink check. > > Reported-and-tested-by: syzbot+24ac24ff58dc5b0d26b9@xxxxxxxxxxxxxxxxxxxxxxxxx > Closes: https://syzkaller.appspot.com/bug?extid=24ac24ff58dc5b0d26b9 > Signed-off-by: Lizhi Xu <lizhi.xu@xxxxxxxxxxxxx> > --- > fs/squashfs/inode.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c > index 16bd693d0b3a..6c5dd225482f 100644 > --- a/fs/squashfs/inode.c > +++ b/fs/squashfs/inode.c > @@ -287,6 +287,11 @@ int squashfs_read_inode(struct inode *inode, long long ino) > inode->i_mode |= S_IFLNK; > squashfs_i(inode)->start = block; > squashfs_i(inode)->offset = offset; > + if ((int)inode->i_size < 0 || inode->i_size > PAGE_SIZE) { > + ERROR("Wrong i_size %d!\n", inode->i_size); > + return -EINVAL; > + } ITYM something like if (le32_to_cpu(sqsh_ino->symlink_size) > PAGE_SIZE) { ERROR("Corrupted symlink\n"); return -EINVAL; }
