[PATCH] adding check to prevent overflow in sqfs_find_inode

dllcoolj at archcloudlabs.com dllcoolj at archcloudlabs.com
Wed Apr 29 04:14:21 CEST 2026 

Hi Richard,


> 
> The commit message should be wrapped between at 75 characters (
> the rule can be bent for log messages like the one bellow, but for the description, it's the preferred way)
> You can use scripts/checkpatch.pl to help you with.
> 
Understood!



> 
> I'm a little confused by the fix.
> If there's no overflow, we will have offset += sz above (in the __builtin_add_overflow)
> 
> > 
> > offset += sz;
> > 
> ...and again here ^^
> So, sz will be added 2 times instead of one.
> 
I mistakenly thought __builtin_add_overflow just performed the check.
Upon fixing this on my end, I'm still crashing.

I'll dig into this and follow up in a day or so.



April 28, 2026 at 3:01 AM, "Richard GENOUD" <richard.genoud at bootlin.com mailto:richard.genoud at bootlin.com?to=%22Richard%20GENOUD%22%20%3Crichard.genoud%40bootlin.com%3E > wrote:


> 
> Hi Jared,
> 
> Le 28/04/2026 à 02:31, Jared Stroud a écrit :
> 
> > 
> > While fuzzing attributes of the squashfs_reg_inode structure, if the file_size attribute is a large value,
> >  &base->inode_number within the sqfs_find_inode function will jump to an arbitrary location
> >  in memory resulting in a invalid memory access and crash.
> >  This bug is similar to CVE-2024-57254 in that memory operations are occurring based on inode values.
> >  I applied a similar fixed via the commmit c8e929e5758999933f9e905049ef2bf3fe6b140d.
> > 
> The commit message should be wrapped between at 75 characters (the rule can be bent for log messages like the one bellow, but for the description, it's the preferred way)
> You can use scripts/checkpatch.pl to help you with.
> 
> > 
> > Prior to the fix, the bug was triggered via the following commands from
> >  the U-Boot shell:
> >  ```
> >  => host bind 0 random3.sqfs
> >  => ls host 0 /
> >  AddressSanitizer:DEADLYSIGNAL
> >  =================================================================
> >  ==122741==ERROR: AddressSanitizer: SEGV on unknown address 0x0000670e4716 (pc 0x55a504b86ea6 bp 0x000019af1280 sp 0x7fff04b3b740 T0)
> >  ==122741==The signal is caused by a READ memory access.
> >  #0 0x55a504b86ea6 in sqfs_find_inode fs/squashfs/sqfs_inode.c:131
> >  #1 0x55a504b7f17e in sqfs_search_dir fs/squashfs/sqfs.c:489
> >  #2 0x55a504b80ffb in sqfs_opendir_nest fs/squashfs/sqfs.c:977
> >  #3 0x55a504b426e9 in fs_opendir fs/fs.c:669
> >  #4 0x55a504b42a6d in fs_ls_generic fs/fs.c:66
> >  #5 0x55a504b42dc8 in fs_ls fs/fs.c:537
> >  #6 0x55a504b42dc8 in do_ls fs/fs.c:881
> >  #7 0x55a504b42dc8 in do_ls.isra.0 fs/fs.c:870
> >  #8 0x55a504a0eb40 in cmd_call common/command.c:582
> >  #9 0x55a504a0eb40 in cmd_process common/command.c:637
> >  #10 0x55a5049f00c4 in run_pipe_real common/cli_hush.c:1672
> >  #11 0x55a5049f00c4 in run_list_real common/cli_hush.c:1868
> >  #12 0x55a5049f0800 in run_list common/cli_hush.c:2017
> >  #13 0x55a5049f0800 in parse_stream_outer common/cli_hush.c:3207
> >  #14 0x55a50492efcc in parse_file_outer common/cli_hush.c:3299
> >  #15 0x55a50492efcc in cli_loop common/cli.c:306
> >  #16 0x55a50492efcc in main_loop common/main.c:86
> >  #17 0x55a50492efcc in run_main_loop common/board_r.c:584
> >  #18 0x55a50492efcc in initcall_run_r common/board_r.c:776
> >  #19 0x55a50492efcc in board_init_r common/board_r.c:806
> >  #20 0x55a50492efcc in sandbox_main arch/sandbox/cpu/start.c:584
> >  #21 0x7f60aa6276c0 (/usr/lib/libc.so.6+0x276c0) (BuildId: ca0db5ab57a36507d61bbcf4988d344974331f19)
> >  #22 0x7f60aa6277f8 in __libc_start_main (/usr/lib/libc.so.6+0x277f8) (BuildId: ca0db5ab57a36507d61bbcf4988d344974331f19)
> >  #23 0x55a50491e414 in _start (/usr/src/u-boot/u-boot+0x285414) (BuildId: 964ae5120238bc46d7af63402fa25331ca86b3b4)
> >  ==122741==Register values:
> >  rax = 0x00000000670e470a rbx = 0x000055a504ef7100 rcx = 0x0000000000020000 rdx = 0x0000000000000000
> >  rdi = 0x0000000000006fd5 rsi = 0x0000000000007abd rbp = 0x0000000019af1280 rsp = 0x00007fff04b3b740
> >  r8 = 0x000000004d5f348a r9 = 0x00000000670e4716 r10 = 0x0000000000000501 r11 = 0x0000000000000001
> >  r12 = 0x0000000000000002 r13 = 0x0000000000000001 r14 = 0x00000000199caa00 r15 = 0x0000000000000001
> >  AddressSanitizer can not provide additional info.
> >  SUMMARY: AddressSanitizer: SEGV fs/squashfs/sqfs_inode.c:131 in sqfs_find_inode
> >  ```
> >  > Post-patch, the following behavior is observed:
> >  => host bind 0 random3.sqfs
> >  => ls host 0 /
> >  Error while searching inode: unknown type.
> >  > Signed-off-by: Jared Stroud <dllcoolj at archcloudlabs.com>
> >  ---
> >  fs/squashfs/sqfs_inode.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >  diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
> >  index ce9a8ff8e2a..d2efc07c78e 100644
> >  --- a/fs/squashfs/sqfs_inode.c
> >  +++ b/fs/squashfs/sqfs_inode.c
> >  @@ -135,6 +135,9 @@ void *sqfs_find_inode(void *inode_table, int inode_number, __le32 inode_count,
> >  if (sz < 0)
> >  return NULL;
> >  > + if (__builtin_add_overflow(offset, sz, &offset))
> >  + return NULL;
> >  +
> > 
> I'm a little confused by the fix.
> If there's no overflow, we will have offset += sz above (in the __builtin_add_overflow)
> 
> > 
> > offset += sz;
> > 
> ...and again here ^^
> So, sz will be added 2 times instead of one.
> 
> > 
> > }
> > 
> Regards,
> Richard
>

More information about the U-Boot mailing list