This is a port of Linux commit d512584780d3e6a7cacb2f482834849453d444a1:
| Author: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
| AuthorDate: Mon Jul 30 14:27:15 2018 -0700
|
| Anatoly reports another squashfs fuzzing issue, where the decompression
| parameters themselves are in a compressed block.
|
| This causes squashfs_read_data() to be called in order to read the
| decompression options before the decompression stream having been set
| up, making squashfs go sideways.
|
| Reported-by: Anatoly Trosinenko <anatoly.trosinenko@xxxxxxxxx>
| Acked-by: Phillip Lougher <phillip.lougher@xxxxxxxxx>
| Cc: stable@xxxxxxxxxx
| Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Reported-by: Richard Weinberger <richard@xxxxxxxxxxxxx>
Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
---
fs/squashfs/block.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c
index 3e2b9a5ebda8..d65035cead54 100644
--- a/fs/squashfs/block.c
+++ b/fs/squashfs/block.c
@@ -164,6 +164,8 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length,
}
if (compressed) {
+ if (!msblk->stream)
+ goto read_failure;
length = squashfs_decompress(msblk, buf, b, offset, length,
output);
if (length < 0)
--
2.39.2
