[PATCH] fs/squashfs fix overflow in sqfs_find_inode()

Jared Stroud dllcoolj at archcloudlabs.com
Sun Apr 26 22:45:15 CEST 2026 

Hello u-boot list,

I found a parsing bug in sqfs_find_inode(). 
While fuzzing the file_size attributes of the squashfs_reg_inode structure, if the file_size attribute has a sufficient large value, &base->inode_number will jump to an arbitrary location in memory resulting in a invalid memory access and crash.

I tested this with a modified file SquashFS file system and U-Boot Sandbox with release 2026.01.

```
	for (k = 0; k < le32_to_cpu(inode_count); k++) {

		// 3) jump ahead in the inode_table from new offset
		base = inode_table + offset;

		// 4) attempt to access location in memory
		if (get_unaligned_le32(&base->inode_number) == inode_number)
			return inode_table + offset;

		// 1) large file size is read here
		sz = sqfs_inode_size(base, le32_to_cpu(block_size)); 

		if (sz < 0)
			return NULL;

		// 2) file size is added to offset
		offset += sz;
	}
```

The crash and resulting ASAN output can be seen below.
```
hit any key to stop autoboot: 0
=> host bind 0 random3.sqfs
=> ls host 0 /
AddressSanitizer:DEADLYSIGNAL
=================================================================
==75950==ERROR: AddressSanitizer: SEGV on unknown address 0x000067128936 (pc 0x0000006689a1 bp 0x000019b354a0 sp 0x7fff2b718600 T0)
==75950==The signal is caused by a READ memory access.
    #0 0x0000006689a1 in sqfs_find_inode fs/squashfs/sqfs_inode.c:131
    #1 0x000000660c79 in sqfs_search_dir fs/squashfs/sqfs.c:489
    #2 0x000000662af6 in sqfs_opendir_nest fs/squashfs/sqfs.c:977
    #3 0x0000006238e3 in fs_opendir fs/fs.c:669
    #4 0x000000623c67 in fs_ls_generic fs/fs.c:66
    #5 0x000000623fc2 in fs_ls fs/fs.c:537
    #6 0x000000623fc2 in do_ls fs/fs.c:881
    #7 0x000000623fc2 in do_ls.isra.0 fs/fs.c:870
    #8 0x0000004eae8e in cmd_call common/command.c:582
    #9 0x0000004eae8e in cmd_process common/command.c:637
    #10 0x0000004da9d6 in run_pipe_real common/cli_hush.c:1672
    #11 0x0000004da9d6 in run_list_real common/cli_hush.c:1868
    #12 0x0000004db112 in run_list common/cli_hush.c:2017
    #13 0x0000004db112 in parse_stream_outer common/cli_hush.c:3207
    #14 0x0000004117eb in parse_file_outer common/cli_hush.c:3299
    #15 0x0000004117eb in cli_loop common/cli.c:306
    #16 0x0000004117eb in main_loop common/main.c:86
    #17 0x0000004117eb in run_main_loop common/board_r.c:584
    #18 0x0000004117eb in initcall_run_r common/board_r.c:776
    #19 0x0000004117eb in board_init_r common/board_r.c:806
    #20 0x0000004117eb in sandbox_main arch/sandbox/cpu/start.c:584
    #21 0x7fb1a66105b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4) (BuildId: 5e8f131adc80bf454af46edf4a1527ae61e1b968)
    #22 0x7fb1a6610667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667) (BuildId: 5e8f131adc80bf454af46edf4a1527ae61e1b968)
    #23 0x000000401524 in _start (/usr/src/u-boot/u-boot+0x401524) (BuildId: 7121dd98eb40baab73fe6c0941c8200f29e1ad23)

==75950==Register values:
rax = 0x000000006712892a  rbx = 0x00000000009dbaa0  rcx = 0x0000000000020000  rdx = 0x0000000000000000
rdi = 0x0000000000006fd5  rsi = 0x0000000000007abd  rbp = 0x0000000019b354a0  rsp = 0x00007fff2b718600
 r8 = 0x000000004d5f348a   r9 = 0x0000000067128936  r10 = 0x0000000000000501  r11 = 0x0000000000000001
r12 = 0x0000000000000002  r13 = 0x0000000000000001  r14 = 0x0000000019a0e900  r15 = 0x0000000000000001
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV fs/squashfs/sqfs_inode.c:131 in sqfs_find_inode
==75950==ABORTING
```

This bug is similar to CVE-2024-57254 in that memory operations are occuring based on inode values.
I applied a similar fixed via the commmit c8e929e5758999933f9e905049ef2bf3fe6b140d, re-tested U-Boot with the crashing file system, and successfully avoided the crash.

```
 fs/squashfs/sqfs_inode.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
index ce9a8ff8e2a..addd76cc07e 100644
--- a/fs/squashfs/sqfs_inode.c
+++ b/fs/squashfs/sqfs_inode.c
@@ -135,6 +135,9 @@ void *sqfs_find_inode(void *inode_table, int inode_number, __le32 inode_count,
 		if (sz < 0)
 			return NULL;
 
+ 		if (__builtin_add_overflow(offset, sz, &offset))
+ 			return NULL;
+ 
 		offset += sz;
 	}
 
-- 
2.53.0
`
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-adding-overflow-check-for-offset-calculation.patch
Type: text/x-patch
Size: 752 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260426/a8b0fd6b/attachment.bin>

More information about the U-Boot mailing list