summaryrefslogtreecommitdiff
path: root/fs/squashfs/squashfs_fs_sb.h
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2018-08-02 18:43:35 +0300
committerLinus Torvalds <torvalds@linux-foundation.org>2018-08-02 19:32:23 +0300
commit71755ee5350b63fb1f283de8561cdb61b47f4d1d (patch)
treecfca6c7e5f8f30014724b955c845a1a2e80d95e5 /fs/squashfs/squashfs_fs_sb.h
parent6b4703768268d09ac928c64474fd686adf4574f9 (diff)
downloadlinux-71755ee5350b63fb1f283de8561cdb61b47f4d1d.tar.xz
squashfs: more metadata hardening
The squashfs fragment reading code doesn't actually verify that the fragment is inside the fragment table. The end result _is_ verified to be inside the image when actually reading the fragment data, but before that is done, we may end up taking a page fault because the fragment table itself might not even exist. Another report from Anatoly and his endless squashfs image fuzzing. Reported-by: Анатолий Тросиненко <anatoly.trosinenko@gmail.com> Acked-by:: Phillip Lougher <phillip.lougher@gmail.com>, Cc: Willy Tarreau <w@1wt.eu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/squashfs/squashfs_fs_sb.h')
-rw-r--r--fs/squashfs/squashfs_fs_sb.h1
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/squashfs/squashfs_fs_sb.h b/fs/squashfs/squashfs_fs_sb.h
index 1da565cb50c3..ef69c31947bf 100644
--- a/fs/squashfs/squashfs_fs_sb.h
+++ b/fs/squashfs/squashfs_fs_sb.h
@@ -75,6 +75,7 @@ struct squashfs_sb_info {
unsigned short block_log;
long long bytes_used;
unsigned int inodes;
+ unsigned int fragments;
int xattr_ids;
};
#endif