[PATCH] fs/squashfs fix overflow in sqfs_find_inode()

Quentin Schulz quentin.schulz at cherry.de
Mon Apr 27 19:17:09 CEST 2026 

Hi Jared,

Thanks for the report and the possible patch.

On 4/26/26 10:45 PM, Jared Stroud wrote:
> [You don't often get email from dllcoolj at archcloudlabs.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
> 
> Hello u-boot list,
> 
> I found a parsing bug in sqfs_find_inode().
> While fuzzing the file_size attributes of the squashfs_reg_inode structure, if the file_size attribute has a sufficient large value, &base->inode_number will jump to an arbitrary location in memory resulting in a invalid memory access and crash.
> 
> I tested this with a modified file SquashFS file system and U-Boot Sandbox with release 2026.01.
> 
> ```
>          for (k = 0; k < le32_to_cpu(inode_count); k++) {
> 
>                  // 3) jump ahead in the inode_table from new offset
>                  base = inode_table + offset;
> 
>                  // 4) attempt to access location in memory
>                  if (get_unaligned_le32(&base->inode_number) == inode_number)
>                          return inode_table + offset;
> 
>                  // 1) large file size is read here
>                  sz = sqfs_inode_size(base, le32_to_cpu(block_size));
> 
>                  if (sz < 0)
>                          return NULL;
> 
>                  // 2) file size is added to offset
>                  offset += sz;
>          }
> ```
> 
> The crash and resulting ASAN output can be seen below.
> ```
> hit any key to stop autoboot: 0
> => host bind 0 random3.sqfs
> => ls host 0 /
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==75950==ERROR: AddressSanitizer: SEGV on unknown address 0x000067128936 (pc 0x0000006689a1 bp 0x000019b354a0 sp 0x7fff2b718600 T0)
> ==75950==The signal is caused by a READ memory access.
>      #0 0x0000006689a1 in sqfs_find_inode fs/squashfs/sqfs_inode.c:131
>      #1 0x000000660c79 in sqfs_search_dir fs/squashfs/sqfs.c:489
>      #2 0x000000662af6 in sqfs_opendir_nest fs/squashfs/sqfs.c:977
>      #3 0x0000006238e3 in fs_opendir fs/fs.c:669
>      #4 0x000000623c67 in fs_ls_generic fs/fs.c:66
>      #5 0x000000623fc2 in fs_ls fs/fs.c:537
>      #6 0x000000623fc2 in do_ls fs/fs.c:881
>      #7 0x000000623fc2 in do_ls.isra.0 fs/fs.c:870
>      #8 0x0000004eae8e in cmd_call common/command.c:582
>      #9 0x0000004eae8e in cmd_process common/command.c:637
>      #10 0x0000004da9d6 in run_pipe_real common/cli_hush.c:1672
>      #11 0x0000004da9d6 in run_list_real common/cli_hush.c:1868
>      #12 0x0000004db112 in run_list common/cli_hush.c:2017
>      #13 0x0000004db112 in parse_stream_outer common/cli_hush.c:3207
>      #14 0x0000004117eb in parse_file_outer common/cli_hush.c:3299
>      #15 0x0000004117eb in cli_loop common/cli.c:306
>      #16 0x0000004117eb in main_loop common/main.c:86
>      #17 0x0000004117eb in run_main_loop common/board_r.c:584
>      #18 0x0000004117eb in initcall_run_r common/board_r.c:776
>      #19 0x0000004117eb in board_init_r common/board_r.c:806
>      #20 0x0000004117eb in sandbox_main arch/sandbox/cpu/start.c:584
>      #21 0x7fb1a66105b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4) (BuildId: 5e8f131adc80bf454af46edf4a1527ae61e1b968)
>      #22 0x7fb1a6610667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667) (BuildId: 5e8f131adc80bf454af46edf4a1527ae61e1b968)
>      #23 0x000000401524 in _start (/usr/src/u-boot/u-boot+0x401524) (BuildId: 7121dd98eb40baab73fe6c0941c8200f29e1ad23)
> 
> ==75950==Register values:
> rax = 0x000000006712892a  rbx = 0x00000000009dbaa0  rcx = 0x0000000000020000  rdx = 0x0000000000000000
> rdi = 0x0000000000006fd5  rsi = 0x0000000000007abd  rbp = 0x0000000019b354a0  rsp = 0x00007fff2b718600
>   r8 = 0x000000004d5f348a   r9 = 0x0000000067128936  r10 = 0x0000000000000501  r11 = 0x0000000000000001
> r12 = 0x0000000000000002  r13 = 0x0000000000000001  r14 = 0x0000000019a0e900  r15 = 0x0000000000000001
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV fs/squashfs/sqfs_inode.c:131 in sqfs_find_inode
> ==75950==ABORTING
> ```
> 
> This bug is similar to CVE-2024-57254 in that memory operations are occuring based on inode values.
> I applied a similar fixed via the commmit c8e929e5758999933f9e905049ef2bf3fe6b140d, re-tested U-Boot with the crashing file system, and successfully avoided the crash.
> 
> ```
>   fs/squashfs/sqfs_inode.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
> index ce9a8ff8e2a..addd76cc07e 100644
> --- a/fs/squashfs/sqfs_inode.c
> +++ b/fs/squashfs/sqfs_inode.c
> @@ -135,6 +135,9 @@ void *sqfs_find_inode(void *inode_table, int inode_number, __le32 inode_count,
>                  if (sz < 0)
>                          return NULL;
> 
> +               if (__builtin_add_overflow(offset, sz, &offset))
> +                       return NULL;
> +
>                  offset += sz;
>          }
> 
> --
> 2.53.0
> `

Please send this as a proper patch (we don't accept patches sent as 
attachment) on the mailing list following the instructions from 
https://docs.u-boot.org/en/latest/CONTRIBUTE.html and 
https://docs.u-boot.org/en/latest/develop/sending_patches.html. This 
will make it more likely to be looked at.

Cheers,
Quentin

More information about the U-Boot mailing list