[ciqcbr7_9] Multiple patches tested (2 commits)#1157
Open
ciq-kernel-automation[bot] wants to merge 2 commits intociqcbr7_9from
Open
[ciqcbr7_9] Multiple patches tested (2 commits)#1157ciq-kernel-automation[bot] wants to merge 2 commits intociqcbr7_9from
ciq-kernel-automation[bot] wants to merge 2 commits intociqcbr7_9from
Conversation
jira VULN-79855 cve CVE-2025-38415 commit-author Phillip Lougher <phillip@squashfs.org.uk> commit 734aa85 upstream-diff | Replaced errorf with ERROR due to missing 5a2be12 ("vfs: Convert squashfs to use the new mount API") and c6b8226 ("vfs: Introduce logging functions") its deps. Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug. Syzkaller forks multiple processes which after mounting the Squashfs filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000). Now if this ioctl occurs at the same time another process is in the process of mounting a Squashfs filesystem on /dev/loop0, the failure occurs. When this happens the following code in squashfs_fill_super() fails. ---- msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); msblk->devblksize_log2 = ffz(~msblk->devblksize); ---- sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0. As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2 is set to 64. This subsequently causes the UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36 shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long') This commit adds a check for a 0 return by sb_min_blocksize(). Link: https://lkml.kernel.org/r/20250409024747.876480-1-phillip@squashfs.org.uk Fixes: 0aa6661 ("Squashfs: super block operations") Reported-by: syzbot+65761fc25a137b9c8c6e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67f0dd7a.050a0220.0a13.0230.GAE@google.com/ Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> (cherry picked from commit 734aa85) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-79855 cve-bf CVE-2025-38415 commit-author Phillip Lougher <phillip@squashfs.org.uk> commit b64700d upstream-diff | Replaced errorf with ERROR due to missing 5a2be12 ("vfs: Convert squashfs to use the new mount API") and c6b8226 ("vfs: Introduce logging functions") its deps. If sb_min_blocksize returns 0, squashfs_fill_super exits without freeing allocated memory (sb->s_fs_info). Fix this by moving the call to sb_min_blocksize to before memory is allocated. Link: https://lkml.kernel.org/r/20250811223740.110392-1-phillip@squashfs.org.uk Fixes: 734aa85 ("Squashfs: check return result of sb_min_blocksize") Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk> Reported-by: Scott GUO <scottzhguo@tencent.com> Closes: https://lore.kernel.org/all/20250811061921.3807353-1-scott_gzh@163.com Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> (cherry picked from commit b64700d) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
ciq-kernel-automation
Bot
added
the
created-by-kernelci
|
🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/25117863066 |
🔍 Interdiff Analysis
================================================================================
* DELTA DIFFERENCES - code changes that differ between the patches *
================================================================================
--- b/fs/squashfs/super.c
+++ b/fs/squashfs/super.c
@@ -97,7 +97,7 @@
msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
if (!msblk->devblksize) {
- ERROR("squashfs: unable to set blocksize\n");
+ errorf(fc, "squashfs: unable to set blocksize\n");
return -EINVAL;
}
================================================================================
* CONTEXT DIFFERENCES - surrounding code differences between the patches *
================================================================================
--- b/fs/squashfs/super.c
+++ b/fs/squashfs/super.c
@@ -93,5 +94,5 @@
msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
msblk->devblksize_log2 = ffz(~msblk->devblksize);
- mutex_init(&msblk->read_data_mutex);
+ mutex_init(&msblk->meta_index_mutex);
================================================================================
* DELTA DIFFERENCES - code changes that differ between the patches *
================================================================================
--- b/fs/squashfs/super.c
+++ b/fs/squashfs/super.c
@@ -89,7 +89,7 @@
TRACE("Entered squashfs_fill_superblock\n");
if (!devblksize) {
- ERROR("squashfs: unable to set blocksize\n");
+ errorf(fc, "squashfs: unable to set blocksize\n");
return -EINVAL;
}
@@ -100,7 +100,12 @@
}
msblk = sb->s_fs_info;
- msblk->devblksize = devblksize;
+ msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
+ if (!msblk->devblksize) {
+ ERROR("squashfs: unable to set blocksize\n");
+ return -EINVAL;
+ }
+
msblk->devblksize_log2 = ffz(~msblk->devblksize);
mutex_init(&msblk->read_data_mutex);
################################################################################
! REJECTED PATCH2 HUNKS - could not be compared; manual review needed !
################################################################################
--- b/fs/squashfs/super.c
+++ b/fs/squashfs/super.c
@@ -206,12 +211,7 @@
msblk->panic_on_errors = (opts->errors == Opt_errors_panic);
- msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
- if (!msblk->devblksize) {
- errorf(fc, "squashfs: unable to set blocksize\n");
- return -EINVAL;
- }
-
+ msblk->devblksize = devblksize;
msblk->devblksize_log2 = ffz(~msblk->devblksize);
mutex_init(&msblk->meta_index_mutex);
================================================================================
* CONTEXT DIFFERENCES - surrounding code differences between the patches *
================================================================================
--- b/fs/squashfs/super.c
+++ b/fs/squashfs/super.c
@@ -91,12 +194,12 @@
- }
- msblk = sb->s_fs_info;
+
+ msblk->panic_on_errors = (opts->errors == Opt_errors_panic);
msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
if (!msblk->devblksize) {
- ERROR("squashfs: unable to set blocksize\n");
+ errorf(fc, "squashfs: unable to set blocksize\n");
return -EINVAL;
}
msblk->devblksize_log2 = ffz(~msblk->devblksize);
- mutex_init(&msblk->read_data_mutex);
+ mutex_init(&msblk->meta_index_mutex);This is an automated interdiff check for backported commits. |
|
✅ Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/25117863066 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR has been automatically created after successful completion of all CI stages.
Commit Message(s)
Test Results
✅ Build Stage
Status: Passed (x86_64)
Build Time: 12m 43s
Total Time: 13m 51s
View build logs
✅ Boot Verification
🤖 This PR was automatically generated by GitHub Actions
Run ID: 25115931746