fs/squashfs: fix heap buffer overflow in sqfs_frag_lookup()

sqfs_frag_lookup() reads a 16-bit metadata block header whose lower 15 bits encode the data size. Unlike sqfs_read_metablock() in sqfs_inode.c, this function does not validate that the decoded size is within SQFS_METADATA_BLOCK_SIZE (8192). A malformed SquashFS image can set the size field to any value up to 32767, causing memcpy to write past the 8192-byte 'entries' heap buffer. Add the same bounds check used by sqfs_read_metablock(): reject any metadata block header with SQFS_METADATA_SIZE(header) exceeding SQFS_METADATA_BLOCK_SIZE. Found by fuzzing with libFuzzer + AddressSanitizer. Signed-off-by: Eric Kilmer <[email protected]> Reviewed-by: Miquel Raynal <[email protected]>
author: Eric Kilmer <[email protected]> 2026-02-20 14:48:08 -0500
committer: Tom Rini <[email protected]> 2026-02-23 12:45:50 -0600
commit: e365a269df5d01307390bdf7d6a1081d94b06470 (patch)
tree: 0a035264f6c4e1a6fff5b9e5c8b2c86c5b7bae5c
parent: 30b8c03d8c8f500b3e4cc51f7b7abf573180ea51 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index f668c26472e..9cb8b4afcdd 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -178,6 +178,11 @@ static int sqfs_frag_lookup(u32 inode_fragment_index,
 		goto out;
 	}
 
+	if (SQFS_METADATA_SIZE(header) > SQFS_METADATA_BLOCK_SIZE) {
+		ret = -EINVAL;
+		goto out;
+	}
+
 	entries = malloc(SQFS_METADATA_BLOCK_SIZE);
 	if (!entries) {
 		ret = -ENOMEM;
author	Eric Kilmer <[email protected]>	2026-02-20 14:48:08 -0500
committer	Tom Rini <[email protected]>	2026-02-23 12:45:50 -0600
commit	e365a269df5d01307390bdf7d6a1081d94b06470 (patch)
tree	0a035264f6c4e1a6fff5b9e5c8b2c86c5b7bae5c
parent	30b8c03d8c8f500b3e4cc51f7b7abf573180ea51 (diff)