Hi Piyush,

Le 12/06/2026 à 09:54, Piyush Paliwal a écrit :
Two independent out-of-bounds reads in the SquashFS driver, both reachable
by pointing U-Boot at an attacker-supplied image (e.g. ls/load on a crafted
USB/SD/netboot rootfs). Either one crashes the bootloader (DoS); patch 2 can
also copy adjacent heap memory into the loaded file (information disclosure).

   1/2 sqfs_find_inode()/sqfs_inode_size() walk the decompressed inode table
       using on-disk sizes with no check that the cursor stays inside the
       buffer -> wild read / SEGV, e.g. from a simple "ls".
   2/2 sqfs_read_nest() uses the on-disk fragment offset as an unbounded
       source index into the fragment block -> out-of-bounds heap read when
       loading a fragment-backed file.

Both were found by fuzzing the sandbox build (CONFIG_ASAN) of sqfsls/sqfsload
with mutated images. With the fixes, the crashing inputs are rejected
cleanly, 2000 fuzz iterations produce no further crashes, and the valid-image
path is unchanged.

These are distinct from the 2024 SquashFS CVE cluster (CVE-2024-57254..57259,
fixed in 2025.01-rc1) and from the sqfs_frag_lookup() fix (e365a269df5): the
earlier work added NULL checks at the callers and fixed the symlink-size and
fragment-table paths, but left these inode-table-walk and fragment-data
paths unbounded.

The two patches are independent and can be applied in either order.

Piyush Paliwal (2):
   fs/squashfs: bound the inode table walk in sqfs_find_inode()
   fs/squashfs: bound fragment offset/size in sqfs_read_nest()

  fs/squashfs/sqfs.c            |  50 ++++++++++++----
  fs/squashfs/sqfs_filesystem.h |   6 +-
  fs/squashfs/sqfs_inode.c      | 106 +++++++++++++++++++++++++++++-----
  3 files changed, 134 insertions(+), 28 deletions(-)

Those patches look good.

NB: a patch correcting the same issue as patch 1 was sent 12 hours earlier by Hem Parekh, but it fixes less problems than this one.

Reviewed-by: Richard Genoud <[email protected]>

Thanks!

Reply via email to