MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-10-22 23:13:01 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
01ce972e6f
linux-yocto/fs
History
Phillip Lougher 81a2bca52d Squashfs: fix uninit-value in squashfs_get_parent 
commit 74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf upstream.

Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug.

This is caused by open_by_handle_at() being called with a file handle
containing an invalid parent inode number.  In particular the inode number
is that of a symbolic link, rather than a directory.

Squashfs_get_parent() gets called with that symbolic link inode, and
accesses the parent member field.

	unsigned int parent_ino = squashfs_i(inode)->parent;

Because non-directory inodes in Squashfs do not have a parent value, this
is uninitialised, and this causes an uninitialised value access.

The fix is to initialise parent with the invalid inode 0, which will cause
an EINVAL error to be returned.

Regular inodes used to share the parent field with the block_list_start
field.  This is removed in this commit to enable the parent field to
contain the invalid inode number 0.

Link: https://lkml.kernel.org/r/20250918233308.293861-1-phillip@squashfs.org.uk
Fixes: 122601408d ("Squashfs: export operations")
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Reported-by: syzbot+157bdef5cf596ad0da2c@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68cc2431.050a0220.139b6.0001.GAE@google.com/
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-10-15 11:56:39 +02:00
..
9p fs/9p: fix uninitialized values during inode evict 2024-11-22 15:37:34 +01:00
adfs
affs affs: don't write overlarge OFS data block size fields 2025-04-10 14:33:38 +02:00
afs afs: Fix potential null pointer dereference in afs_put_server 2025-10-02 13:40:41 +02:00
autofs autofs: fix memory leak of waitqueues in autofs_catatonic_mode 2023-09-23 11:10:59 +02:00
befs
bfs
btrfs btrfs: ref-verify: handle damaged extent root tree 2025-10-15 11:56:23 +02:00
cachefiles cachefiles: Fix the incorrect return value in __cachefiles_write() 2025-07-24 08:51:51 +02:00
ceph ceph: fix possible integer overflow in ceph_zero_objects() 2025-07-06 10:57:56 +02:00
coda
configfs configfs: Do not override creating attribute file failure in populate_attrs() 2025-06-27 11:07:25 +01:00
cramfs
crypto fscrypt: Don't use problematic non-inline crypto engines 2025-08-28 16:26:10 +02:00
debugfs debugfs: fix automount d_fsdata usage 2024-01-20 11:50:04 +01:00
devpts
dlm dlm: make tcp still work in multi-link env 2025-06-04 14:40:05 +02:00
ecryptfs fs: Create a generic is_dot_dotdot() utility 2024-10-17 15:21:17 +02:00
efivarfs efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare 2025-09-04 15:26:29 +02:00
efs
erofs erofs: address D-cache aliasing 2025-08-15 12:04:51 +02:00
exfat exfat: fix the infinite loop in exfat_find_last_cluster() 2025-04-10 14:33:37 +02:00
exportfs exportfs: use pr_debug for unreachable debug statements 2024-03-06 14:45:15 +00:00
ext2 minmax: add in_range() macro 2025-10-02 13:40:41 +02:00
ext4 minmax: add in_range() macro 2025-10-02 13:40:41 +02:00
f2fs f2fs: fix zero-sized extent for precache extents 2025-10-15 11:56:34 +02:00
fat fat: fix uninitialized variable 2024-10-22 15:56:43 +02:00
freevxfs
fscache netfs/fscache: Add a memory barrier for FSCACHE_VOLUME_CREATING 2024-12-14 19:53:15 +01:00
fuse fuse: prevent overflow in copy_file_range return value 2025-09-19 16:29:57 +02:00
gfs2 gfs2: move msleep to sleepable context 2025-06-27 11:07:25 +01:00
hfs hfs: fix not erasing deleted b-tree node issue 2025-08-28 16:25:51 +02:00
hfsplus hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() 2025-08-28 16:25:51 +02:00
hostfs
hpfs
hugetlbfs mm/hugetlb: fix folio is still mapped when deleted 2025-10-02 13:40:41 +02:00
iomap iomap: avoid avoid truncating 64-bit offset to 32 bits 2025-01-23 17:17:12 +01:00
isofs isofs: Verify inode mode when loading from disk 2025-07-24 08:51:49 +02:00
jbd2 jbd2: prevent softlockup in jbd2_log_do_checkpoint() 2025-08-28 16:26:07 +02:00
jffs2 jffs2: check jffs2_prealloc_raw_node_refs() result in few other places 2025-06-27 11:07:36 +01:00
jfs jfs: upper bound check of tree index in dbAllocAG 2025-08-28 16:26:00 +02:00
kernfs kernfs: Fix UAF in polling when open file is released 2025-09-19 16:29:57 +02:00
lockd nfsd: stop setting ->pg_stats for unused stats 2024-08-19 06:00:04 +02:00
minix
netfs netfs: Only call folio_start_fscache() one time for each folio 2023-10-06 14:56:32 +02:00
nfs NFSv4.1: fix backchannel max_resp_sz verification check 2025-10-15 11:56:36 +02:00
nfs_common
nfsd NFSD: detect mismatch of file handle and delegation stateid in OPEN op 2025-08-28 16:25:48 +02:00
nilfs2 nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* 2025-09-25 10:58:52 +02:00
nls fs/nls: make load_nls() take a const parameter 2023-09-13 09:42:22 +02:00
notify fs: relax assertions on failure to encode file handles 2025-09-09 18:54:21 +02:00
ntfs
ntfs3 fs: ntfs3: Fix integer overflow in run_unpack() 2025-10-15 11:56:33 +02:00
ocfs2 ocfs2: fix double free in user_cluster_connect() 2025-10-15 11:56:38 +02:00
omfs fs: omfs: Use flexible-array member in struct omfs_extent 2025-07-06 10:58:03 +02:00
openpromfs openpromfs: finish conversion to the new mount API 2024-06-12 11:03:03 +02:00
orangefs fs/orangefs: use snprintf() instead of sprintf() 2025-08-28 16:25:59 +02:00
overlayfs fs: relax assertions on failure to encode file handles 2025-09-09 18:54:21 +02:00
proc proc: fix type confusion in pde_set_flags() 2025-09-19 16:29:56 +02:00
pstore pstore/blk: trivial typo fixes 2025-02-21 13:48:53 +01:00
qnx4
qnx6
quota quota: flush quota_release_work upon quota writeback 2024-12-14 19:54:10 +01:00
ramfs shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs 2023-07-19 16:22:11 +02:00
reiserfs reiserfs: fix uninit-value in comp_keys 2024-08-29 17:30:20 +02:00
romfs
smb smb: server: fix IRD/ORD negotiation with the client 2025-10-15 11:56:25 +02:00
squashfs Squashfs: fix uninit-value in squashfs_get_parent 2025-10-15 11:56:39 +02:00
sysfs fs: sysfs: Fix reference leak in sysfs_break_active_protection() 2024-04-27 17:07:16 +02:00
sysv sysv: don't call sb_bread() with pointers_lock held 2024-04-13 13:05:05 +02:00
tracefs tracefs: Add missing lockdown check to tracefs_create_dir() 2023-09-23 11:11:12 +02:00
ubifs ubifs: skip dumping tnc tree when zroot is null 2025-02-21 13:49:21 +01:00
udf udf: Verify partition map count 2025-08-28 16:25:51 +02:00
ufs minmax: add in_range() macro 2025-10-02 13:40:41 +02:00
unicode Revert "unicode: Don't special case ignorable code points" 2024-12-14 19:54:50 +01:00
vboxsf vboxsf: fix building with GCC 15 2025-03-28 21:58:51 +01:00
verity fsverity: skip PKCS#7 parser when keyring is empty 2023-09-13 09:43:03 +02:00
xfs xfs: do not propagate ENODATA disk errors into xattr code 2025-09-04 15:26:31 +02:00
zonefs zonefs: Improve error handling 2024-02-23 09:12:45 +01:00
aio.c fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion 2024-04-03 15:19:42 +02:00
anon_inodes.c fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass 2025-07-17 18:32:10 +02:00
attr.c attr: block mode changes of symlinks 2023-09-23 11:11:10 +02:00
bad_inode.c
binfmt_elf_fdpic.c binfmt: Fix whitespace issues 2025-05-22 14:09:58 +02:00
binfmt_elf_test.c
binfmt_elf.c binfmt_elf: Move brk for static PIE even if ASLR disabled 2025-05-22 14:09:59 +02:00
binfmt_flat.c binfmt_flat: Fix integer overflow bug on 32 bit systems 2025-02-21 13:49:39 +01:00
binfmt_misc.c binfmt_misc: cleanup on filesystem umount 2024-08-29 17:30:30 +02:00
binfmt_script.c
buffer.c fs/buffer: fix use-after-free when call bh_read() helper 2025-08-28 16:26:14 +02:00
char_dev.c
compat_binfmt_elf.c
coredump.c coredump: hand a pidfd to the usermode coredump helper 2025-06-04 14:40:25 +02:00
d_path.c
dax.c fsdax: dax_unshare_iter needs to copy entire blocks 2024-11-08 16:26:42 +01:00
dcache.c fs: better handle deep ancestor chains in is_subdir() 2024-07-25 09:49:18 +02:00
direct-io.c
drop_caches.c
eventfd.c eventfd: prevent underflow for eventfd semaphores 2023-09-13 09:42:27 +02:00
eventpoll.c eventpoll: Fix semi-unbounded recursion 2025-08-28 16:25:49 +02:00
exec.c binfmt: Fix whitespace issues 2025-05-22 14:09:58 +02:00
fcntl.c fs: Fix file_set_fowner LSM hook inconsistencies 2024-10-17 15:21:23 +02:00
fhandle.c do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak 2024-03-26 18:20:27 -04:00
file_table.c fs: fix proc_handler for sysctl_nr_open 2025-02-21 13:48:53 +01:00
file.c alloc_fdtable(): change calling conventions. 2025-08-28 16:26:19 +02:00
filesystems.c fs/filesystems: Fix potential unsigned integer underflow in fs_name() 2025-06-27 11:07:23 +01:00
fs_context.c vfs, security: Fix automount superblock LSM init problem, preventing NFS sb sharing 2023-09-13 09:42:28 +02:00
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c fs: writeback: fix use-after-free in __mark_inode_dirty() 2025-09-09 18:54:12 +02:00
fsopen.c
init.c
inode.c fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name 2024-12-14 19:53:13 +01:00
internal.h nfs: use vfs setgid helper 2023-08-30 16:11:10 +02:00
ioctl.c lsm: new security_file_ioctl_compat() hook 2024-01-31 16:17:00 -08:00
Kconfig nfs: add missing selections of CONFIG_CRC32 2025-04-25 10:43:52 +02:00
Kconfig.binfmt
kernel_read_file.c
libfs.c better lockdep annotations for simple_recursive_removal() 2025-08-28 16:25:51 +02:00
locks.c filelock: Fix fcntl/close race recovery compat path 2024-07-27 11:32:19 +02:00
Makefile smb: move client and server files to common directory fs/smb 2023-06-28 11:12:40 +02:00
mbcache.c
mount.h
mpage.c
namei.c fuse: don't truncate cached, mutated symlink 2025-03-28 21:58:53 +01:00
namespace.c use uniform permission checks for all mount propagation changes 2025-08-28 16:26:14 +02:00
no-block.c
nsfs.c
open.c openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) 2024-11-01 01:56:06 +01:00
pipe.c fs/pipe: Fix lockdep false-positive in watchqueue pipe_write() 2024-04-10 16:28:30 +02:00
pnode.c
pnode.h
posix_acl.c
proc_namespace.c
read_write.c
readdir.c
remap_range.c
select.c hrtimer: Use and report correct timerslack values for realtime tasks 2025-03-28 21:58:48 +01:00
seq_file.c
signalfd.c
splice.c mm: merge folio_has_private()/filemap_release_folio() call pairs 2024-01-10 17:10:31 +01:00
stack.c
stat.c
statfs.c statfs: enforce statfs[64] structure initialization 2023-05-24 17:32:51 +01:00
super.c fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT 2024-08-03 08:49:53 +02:00
sync.c
sysctls.c
timerfd.c
userfaultfd.c mm/uffd: fix vma operation where start addr cuts part of vma 2025-06-27 11:07:04 +01:00
utimes.c
xattr.c