Squashfs: check the inode number is not the invalid value of zero

PlaidCat · PlaidCat · commit 78193d690974 · 2024-09-12T13:26:00.000-04:00
jira LE-1907 cve CVE-2024-26982 Rebuild_History Non-Buildable kernel-5.14.0-427.28.1.el9_4 commit-author Phillip Lougher <phillip@squashfs.org.uk> commit 9253c54 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-427.28.1.el9_4/9253c54e.failed Syskiller has produced an out of bounds access in fill_meta_index(). That out of bounds access is ultimately caused because the inode has an inode number with the invalid value of zero, which was not checked. The reason this causes the out of bounds access is due to following sequence of events: 1. Fill_meta_index() is called to allocate (via empty_meta_index()) and fill a metadata index. It however suffers a data read error and aborts, invalidating the newly returned empty metadata index. It does this by setting the inode number of the index to zero, which means unused (zero is not a valid inode number). 2. When fill_meta_index() is subsequently called again on another read operation, locate_meta_index() returns the previous index because it matches the inode number of 0. Because this index has been returned it is expected to have been filled, and because it hasn't been, an out of bounds access is performed. This patch adds a sanity check which checks that the inode number is not zero when the inode is created and returns -EINVAL if it is. [phillip@squashfs.org.uk: whitespace fix] Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk Link: https://lkml.kernel.org/r/20240408220206.435788-1-phillip@squashfs.org.uk Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk> Reported-by: "Ubisectech Sirius" <bugreport@ubisectech.com> Closes: https://lore.kernel.org/lkml/87f5c007-b8a5-41ae-8b57-431e924c5915.bugreport@ubisectech.com/ Cc: Christian Brauner <brauner@kernel.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> (cherry picked from commit 9253c54) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # fs/squashfs/inode.c
diff --git a/ciq/ciq_backports/kernel-5.14.0-427.28.1.el9_4/9253c54e.failed b/ciq/ciq_backports/kernel-5.14.0-427.28.1.el9_4/9253c54e.failed
@@ -0,0 +1,70 @@
+Squashfs: check the inode number is not the invalid value of zero
+
+jira LE-1907
+cve CVE-2024-26982
+Rebuild_History Non-Buildable kernel-5.14.0-427.28.1.el9_4
+commit-author Phillip Lougher <phillip@squashfs.org.uk>
+commit 9253c54e01b6505d348afbc02abaa4d9f8a01395
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-427.28.1.el9_4/9253c54e.failed
+
+Syskiller has produced an out of bounds access in fill_meta_index().
+
+That out of bounds access is ultimately caused because the inode
+has an inode number with the invalid value of zero, which was not checked.
+
+The reason this causes the out of bounds access is due to following
+sequence of events:
+
+1. Fill_meta_index() is called to allocate (via empty_meta_index())
+   and fill a metadata index.  It however suffers a data read error
+   and aborts, invalidating the newly returned empty metadata index.
+   It does this by setting the inode number of the index to zero,
+   which means unused (zero is not a valid inode number).
+
+2. When fill_meta_index() is subsequently called again on another
+   read operation, locate_meta_index() returns the previous index
+   because it matches the inode number of 0.  Because this index
+   has been returned it is expected to have been filled, and because
+   it hasn't been, an out of bounds access is performed.
+
+This patch adds a sanity check which checks that the inode number
+is not zero when the inode is created and returns -EINVAL if it is.
+
+[phillip@squashfs.org.uk: whitespace fix]
+  Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk
+Link: https://lkml.kernel.org/r/20240408220206.435788-1-phillip@squashfs.org.uk
+	Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+	Reported-by: "Ubisectech Sirius" <bugreport@ubisectech.com>
+Closes: https://lore.kernel.org/lkml/87f5c007-b8a5-41ae-8b57-431e924c5915.bugreport@ubisectech.com/
+	Cc: Christian Brauner <brauner@kernel.org>
+	Cc: <stable@vger.kernel.org>
+	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+(cherry picked from commit 9253c54e01b6505d348afbc02abaa4d9f8a01395)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	fs/squashfs/inode.c
+diff --cc fs/squashfs/inode.c
+index 24463145b351,16bd693d0b3a..000000000000
+--- a/fs/squashfs/inode.c
++++ b/fs/squashfs/inode.c
+@@@ -58,10 -62,9 +62,16 @@@ static int squashfs_new_inode(struct su
+  
+  	i_uid_write(inode, i_uid);
+  	i_gid_write(inode, i_gid);
+++<<<<<<< HEAD
+ +	inode->i_ino = le32_to_cpu(sqsh_ino->inode_number);
+ +	inode->i_mtime.tv_sec = le32_to_cpu(sqsh_ino->mtime);
+ +	inode->i_atime.tv_sec = inode->i_mtime.tv_sec;
+ +	inode->i_ctime.tv_sec = inode->i_mtime.tv_sec;
+++=======
++ 	inode_set_mtime(inode, le32_to_cpu(sqsh_ino->mtime), 0);
++ 	inode_set_atime(inode, inode_get_mtime_sec(inode), 0);
++ 	inode_set_ctime(inode, inode_get_mtime_sec(inode), 0);
+++>>>>>>> 9253c54e01b6 (Squashfs: check the inode number is not the invalid value of zero)
+  	inode->i_mode = le16_to_cpu(sqsh_ino->mode);
+  	inode->i_size = 0;
+  
+* Unmerged path fs/squashfs/inode.c
