[{"id":3683162,"web_url":"http://patchwork.ozlabs.org/comment/3683162/","msgid":"<0e0d12e7-f318-4500-b242-cca9cf1cf709@bootlin.com>","list_archive_url":null,"date":"2026-04-28T07:01:25","subject":"Re: [PATCH] adding check to prevent overflow in sqfs_find_inode","submitter":{"id":88519,"url":"http://patchwork.ozlabs.org/api/people/88519/","name":"Richard GENOUD","email":"richard.genoud@bootlin.com"},"content":"Hi Jared,\n\nLe 28/04/2026 à 02:31, Jared Stroud a écrit :\n> While fuzzing attributes of the squashfs_reg_inode structure, if the file_size attribute is a large value,\n> &base->inode_number within the sqfs_find_inode function will jump to an arbitrary location\n> in memory resulting in a invalid memory access and crash.\n> This bug is similar to CVE-2024-57254 in that memory operations are occurring based on inode values.\n> I applied a similar fixed via the commmit c8e929e5758999933f9e905049ef2bf3fe6b140d.\n\nThe commit message should be wrapped between at 75 characters (the rule \ncan be bent for log messages like the one bellow, but for the \ndescription, it's the preferred way)\nYou can use scripts/checkpatch.pl to help you with.\n\n> \n> Prior to the fix, the bug was triggered via the following commands from\n> the U-Boot shell:\n> \n> ```\n> => host bind 0 random3.sqfs\n> => ls host 0 /\n> AddressSanitizer:DEADLYSIGNAL\n> =================================================================\n> ==122741==ERROR: AddressSanitizer: SEGV on unknown address 0x0000670e4716 (pc 0x55a504b86ea6 bp 0x000019af1280 sp 0x7fff04b3b740 T0)\n> ==122741==The signal is caused by a READ memory access.\n>      #0 0x55a504b86ea6 in sqfs_find_inode fs/squashfs/sqfs_inode.c:131\n>      #1 0x55a504b7f17e in sqfs_search_dir fs/squashfs/sqfs.c:489\n>      #2 0x55a504b80ffb in sqfs_opendir_nest fs/squashfs/sqfs.c:977\n>      #3 0x55a504b426e9 in fs_opendir fs/fs.c:669\n>      #4 0x55a504b42a6d in fs_ls_generic fs/fs.c:66\n>      #5 0x55a504b42dc8 in fs_ls fs/fs.c:537\n>      #6 0x55a504b42dc8 in do_ls fs/fs.c:881\n>      #7 0x55a504b42dc8 in do_ls.isra.0 fs/fs.c:870\n>      #8 0x55a504a0eb40 in cmd_call common/command.c:582\n>      #9 0x55a504a0eb40 in cmd_process common/command.c:637\n>      #10 0x55a5049f00c4 in run_pipe_real common/cli_hush.c:1672\n>      #11 0x55a5049f00c4 in run_list_real common/cli_hush.c:1868\n>      #12 0x55a5049f0800 in run_list common/cli_hush.c:2017\n>      #13 0x55a5049f0800 in parse_stream_outer common/cli_hush.c:3207\n>      #14 0x55a50492efcc in parse_file_outer common/cli_hush.c:3299\n>      #15 0x55a50492efcc in cli_loop common/cli.c:306\n>      #16 0x55a50492efcc in main_loop common/main.c:86\n>      #17 0x55a50492efcc in run_main_loop common/board_r.c:584\n>      #18 0x55a50492efcc in initcall_run_r common/board_r.c:776\n>      #19 0x55a50492efcc in board_init_r common/board_r.c:806\n>      #20 0x55a50492efcc in sandbox_main arch/sandbox/cpu/start.c:584\n>      #21 0x7f60aa6276c0  (/usr/lib/libc.so.6+0x276c0) (BuildId: ca0db5ab57a36507d61bbcf4988d344974331f19)\n>      #22 0x7f60aa6277f8 in __libc_start_main (/usr/lib/libc.so.6+0x277f8) (BuildId: ca0db5ab57a36507d61bbcf4988d344974331f19)\n>      #23 0x55a50491e414 in _start (/usr/src/u-boot/u-boot+0x285414) (BuildId: 964ae5120238bc46d7af63402fa25331ca86b3b4)\n> \n> ==122741==Register values:\n> rax = 0x00000000670e470a  rbx = 0x000055a504ef7100  rcx = 0x0000000000020000  rdx = 0x0000000000000000\n> rdi = 0x0000000000006fd5  rsi = 0x0000000000007abd  rbp = 0x0000000019af1280  rsp = 0x00007fff04b3b740\n>   r8 = 0x000000004d5f348a   r9 = 0x00000000670e4716  r10 = 0x0000000000000501  r11 = 0x0000000000000001\n> r12 = 0x0000000000000002  r13 = 0x0000000000000001  r14 = 0x00000000199caa00  r15 = 0x0000000000000001\n> AddressSanitizer can not provide additional info.\n> SUMMARY: AddressSanitizer: SEGV fs/squashfs/sqfs_inode.c:131 in sqfs_find_inode\n> ```\n> \n> \n> Post-patch, the following behavior is observed:\n> => host bind 0 random3.sqfs\n> => ls host 0 /\n> Error while searching inode: unknown type.\n> \n> \n> Signed-off-by: Jared Stroud <dllcoolj@archcloudlabs.com>\n> ---\n>   fs/squashfs/sqfs_inode.c | 3 +++\n>   1 file changed, 3 insertions(+)\n> \n> diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c\n> index ce9a8ff8e2a..d2efc07c78e 100644\n> --- a/fs/squashfs/sqfs_inode.c\n> +++ b/fs/squashfs/sqfs_inode.c\n> @@ -135,6 +135,9 @@ void *sqfs_find_inode(void *inode_table, int inode_number, __le32 inode_count,\n>   \t\tif (sz < 0)\n>   \t\t\treturn NULL;\n>   \n> +\t\tif (__builtin_add_overflow(offset, sz, &offset))\n> +\t\t\treturn NULL;\n> +\nI'm a little confused by the fix.\nIf there's no overflow, we will have offset += sz above (in the \n__builtin_add_overflow)\n>   \t\toffset += sz;\n...and again here ^^\nSo, sz will be added 2 times instead of one.\n\n>   \t}\n>   \n\nRegards,\nRichard","headers":{"Return-Path":"<u-boot-bounces@lists.denx.de>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=bootlin.com header.i=@bootlin.com header.a=rsa-sha256\n header.s=dkim header.b=WYkoua/x;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=bootlin.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=bootlin.com header.i=@bootlin.com header.b=\"WYkoua/x\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=bootlin.com","phobos.denx.de;\n spf=pass smtp.mailfrom=richard.genoud@bootlin.com"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4WZ90NYGz1yHv\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 17:01:37 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 36C2183BC4;\n\tTue, 28 Apr 2026 09:01:34 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 3D82184106; Tue, 28 Apr 2026 09:01:33 +0200 (CEST)","from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id D683F83A91\n for <u-boot@lists.denx.de>; Tue, 28 Apr 2026 09:01:28 +0200 (CEST)","from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233])\n by smtpout-02.galae.net (Postfix) with ESMTPS id 64A741A3467;\n Tue, 28 Apr 2026 07:01:28 +0000 (UTC)","from mail.galae.net (mail.galae.net [212.83.136.155])\n by smtpout-01.galae.net (Postfix) with ESMTPS id 3065C601D0;\n Tue, 28 Apr 2026 07:01:28 +0000 (UTC)","from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon)\n with ESMTPSA id CF20710728063;\n Tue, 28 Apr 2026 09:01:25 +0200 (CEST)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim;\n t=1777359687; h=from:subject:date:message-id:to:cc:mime-version:content-type:\n content-transfer-encoding:content-language:in-reply-to:references;\n bh=+EuQ6EHWOiCnJcxawrEt8VLL47MTJHNMTXKxrd7+Gtk=;\n b=WYkoua/xBfyi9wiM13SC9JmhQhi/mQTPwMr57NWazOcrywnL9K/haxmShM+Wdt8hEVK8IJ\n O1cSb6Z67bE0llXCiEdF9s3+l7ePDaBUpyXW/L9tZl3gl0XlQiLQryvJByb/HA/nGDTUWS\n LMc0I/ahiSf+t7iagu23yFnQhmu4IlwJhM/MhlFm9Kj4MgCmX4x3cQkv8zAwitmbWqDypf\n Gbb59qOc+Z8www/JQp97b/9bgvfkHsz6QH0sHOmRTPQQ3oloX/xvUGSfhdThlplOd7H3Ch\n hEcBB9iszodOGOkhlL3xrpRO8OmEqRpAiN3jhjl42B2858LGxG2XE+HhUqS5WQ==","Message-ID":"<0e0d12e7-f318-4500-b242-cca9cf1cf709@bootlin.com>","Date":"Tue, 28 Apr 2026 09:01:25 +0200","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH] adding check to prevent overflow in sqfs_find_inode","To":"Jared Stroud <dllcoolj@archcloudlabs.com>, u-boot@lists.denx.de","Cc":"joaomarcos.costa@bootlin.com, thomas.petazzoni@bootlin.com,\n miquel.raynal@bootlin.com, trini@konsulko.com","References":"<20260428003100.123201-1-dllcoolj@archcloudlabs.com>","From":"Richard GENOUD <richard.genoud@bootlin.com>","Content-Language":"en-US, fr","Organization":"Bootlin","In-Reply-To":"<20260428003100.123201-1-dllcoolj@archcloudlabs.com>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"8bit","X-Last-TLS-Session-Version":"TLSv1.3","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion <u-boot.lists.denx.de>","List-Unsubscribe":"<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>","List-Archive":"<https://lists.denx.de/pipermail/u-boot/>","List-Post":"<mailto:u-boot@lists.denx.de>","List-Help":"<mailto:u-boot-request@lists.denx.de?subject=help>","List-Subscribe":"<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" <u-boot-bounces@lists.denx.de>","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}}]