From patchwork Sun Nov 22 21:02:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Campbell Suter X-Patchwork-Id: 1404754 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=snapit.group Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=snapit.group header.i=@snapit.group header.a=rsa-sha256 header.s=shd header.b=imNTjtI4; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CfmF30qMGz9sRR for ; Mon, 23 Nov 2020 23:10:04 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D10528242B; Mon, 23 Nov 2020 13:09:53 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=snapit.group Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=snapit.group header.i=@snapit.group header.b="imNTjtI4"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id ACDB882569; Sun, 22 Nov 2020 22:02:34 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x442.google.com (mail-pf1-x442.google.com [IPv6:2607:f8b0:4864:20::442]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id A1F198242B for ; Sun, 22 Nov 2020 22:02:31 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=snapit.group Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=campbell@snapit.group Received: by mail-pf1-x442.google.com with SMTP id 131so12976140pfb.9 for ; Sun, 22 Nov 2020 13:02:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=snapit.group; s=shd; h=to:cc:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=3hDktt1JRb+CUVa6MdwzQ1QkB+WDIHCHkRmlzttB5bM=; b=imNTjtI43RiIHwj5O9/Yo0ARJoM66TkfvfQaW6U0ogFu8dL8dXN0S9dlKYXHWEOSKh RtHJrE8ictSA3OlgyTCJvHeX2YL7tO9LLImRrZ9uchRnW62CZ7FuUUUJUJARKSMrh99f 4Kb6ohcbh2o9s+dJwNmZSqAXH9QVD5d+A4VDk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:cc:from:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=3hDktt1JRb+CUVa6MdwzQ1QkB+WDIHCHkRmlzttB5bM=; b=CoBn9q5VeCJasgGvEE0Pzli5Y0+7iUIGMlYi/k+9k3zmsuHSfnbvPRyZE+K4Hn8uMb cJVkLseLXI56EnR/s3E5KdPmK4IJEKqCefl1BDeruup54Lul7z3GQpoxhO9FFFaXySDX x5ed6DlsiFso3LfriUPtj2peEhe9id2wwOZcxG/iJMFRaF8qMDtpWoBnrISUUTcPuv+l 8brcxM/lgGmGrECF1+n8KGoqOzmerR5QU4VRMnLJuPy6YKBZJ9G/MbtTBx/g5CMJQ3za ZY1Ap6l2fCDRAZlzaV/TyTGbLcHmsfZJvFO04QGSy6oVMDONx51Iso5DHRe96a6suKzH HSsw== X-Gm-Message-State: AOAM530cTGGHx5asq8KFUkkG6o8skq2iYLbl1IjWLrdfih3Ic+oBjPLq KH7///LdnwhZnjxPvIPRSbjLBOT1DbwhreZ2 X-Google-Smtp-Source: ABdhPJw/xvLNu9lLCL9uD7UEK842j6jyfxpvvd/E/hV2KPjL0FnRZLmIncbOpCmzZTWba9hm5w8edg== X-Received: by 2002:a63:283:: with SMTP id 125mr4065200pgc.282.1606078949658; Sun, 22 Nov 2020 13:02:29 -0800 (PST) Received: from ?IPv6:2406:e002:b017:4d01:9588:b6a6:3736:d9ff? ([2406:e002:b017:4d01:9588:b6a6:3736:d9ff]) by smtp.gmail.com with ESMTPSA id y1sm9606047pfe.80.2020.11.22.13.02.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 22 Nov 2020 13:02:29 -0800 (PST) To: u-boot@lists.denx.de Cc: Joao Marcos Costa From: Campbell Suter Subject: [PATCH] Fix a squashfs crash when reading large directories Message-ID: Date: Mon, 23 Nov 2020 10:02:26 +1300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 Content-Language: en-GB X-Mailman-Approved-At: Mon, 23 Nov 2020 13:09:47 +0100 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean SquashFS encodes directories with more than 256 entries, with xattrs or a few other things with a different type of inode than most directories. This type of directory entry has an indexing feature to increase the performance of filename lookups. When U-Boot's squashfs driver calculates the length of such an inode, it incorrectly adds one to the number of indexes which causes the length to be miscalculated, causing a synchronous abort when reading the next inode. This occurs for directories that satisfy all the following conditions: * They have at least 257 entries, the size of their inodes add to >8K, or they have extended attributes. * They are not the root directory (as there is no subsequent inode to read), and are not the last child of the root directory. * The length of the names of all the child files sum to a sufficent value (I think this is the point where the child entries span multiple metadata blocks, but I haven't confirmed it) The following script generates a squashfs that was crashing when listed: mkdir -p files/{a,b,c} pad=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa for i in {1..257}; do touch files/b/file-$(printf '%03d' $i)-$pad done mksquashfs files result.squashfs Signed-off-by: Campbell Suter --- fs/squashfs/sqfs_inode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c index 14d70cf678..e76ec7cbdf 100644 --- a/fs/squashfs/sqfs_inode.c +++ b/fs/squashfs/sqfs_inode.c @@ -49,7 +49,7 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size) return sizeof(*ldir); di = ldir->index; - while (l < i_count + 1) { + while (l < i_count) { sz = get_unaligned_le32(&di->size) + 1; index_list_size += sz; di = (void *)di + sizeof(*di) + sz; @@ -57,7 +57,7 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size) } return sizeof(*ldir) + index_list_size + - (i_count + 1) * SQFS_DIR_INDEX_BASE_LENGTH; + i_count * SQFS_DIR_INDEX_BASE_LENGTH; } case SQFS_LREG_TYPE: {