[PATCH 1/1] fs/squashfs: fix heap buffer overflow in sqfs_frag_lookup()
Eric Kilmer
eric.kilmer at trailofbits.com
Fri Feb 20 20:48:08 CET 2026
sqfs_frag_lookup() reads a 16-bit metadata block header whose lower
15 bits encode the data size. Unlike sqfs_read_metablock() in
sqfs_inode.c, this function does not validate that the decoded size is
within SQFS_METADATA_BLOCK_SIZE (8192). A malformed SquashFS image can
set the size field to any value up to 32767, causing memcpy to write
past the 8192-byte 'entries' heap buffer.
Add the same bounds check used by sqfs_read_metablock(): reject any
metadata block header with SQFS_METADATA_SIZE(header) exceeding
SQFS_METADATA_BLOCK_SIZE.
Found by fuzzing with libFuzzer + AddressSanitizer.
Signed-off-by: Eric Kilmer <eric.kilmer at trailofbits.com>
---
fs/squashfs/sqfs.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index f668c26472e..9cb8b4afcdd 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -178,6 +178,11 @@ static int sqfs_frag_lookup(u32 inode_fragment_index,
goto out;
}
+ if (SQFS_METADATA_SIZE(header) > SQFS_METADATA_BLOCK_SIZE) {
+ ret = -EINVAL;
+ goto out;
+ }
+
entries = malloc(SQFS_METADATA_BLOCK_SIZE);
if (!entries) {
ret = -ENOMEM;
--
2.53.0
More information about the U-Boot
mailing list