android_kernel_xiaomi_sm8450/fs/squashfs/xattr.h

/* SPDX-License-Identifier: GPL-2.0-or-later */
/*
 * Squashfs - a compressed read only filesystem for Linux
 *
 * Copyright (c) 2010
 * Phillip Lougher <phillip@squashfs.org.uk>
 *
 * xattr.h
 */

#ifdef CONFIG_SQUASHFS_XATTR
extern __le64 *squashfs_read_xattr_id_table(struct super_block *, u64,
		u64 *, unsigned int *);
extern int squashfs_xattr_lookup(struct super_block *, unsigned int, int *,
		unsigned int *, unsigned long long *);
#else
static inline __le64 *squashfs_read_xattr_id_table(struct super_block *sb,
		u64 start, u64 *xattr_table_start, unsigned int *xattr_ids)
{
	struct squashfs_xattr_id_table *id_table;

	id_table = squashfs_read_table(sb, start, sizeof(*id_table));
	if (IS_ERR(id_table))
		return (__le64 *) id_table;

	*xattr_table_start = le64_to_cpu(id_table->xattr_table_start);
	kfree(id_table);

	ERROR("Xattrs in filesystem, these will be ignored\n");
	return ERR_PTR(-ENOTSUPP);
}

static inline int squashfs_xattr_lookup(struct super_block *sb,
		unsigned int index, int *count, unsigned int *size,
		unsigned long long *xattr)
{
	return 0;
}
#define squashfs_listxattr NULL
#define squashfs_xattr_handlers NULL
#endif
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 35 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation either version 2 or at your option any later version this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with this program if not write to the free software foundation 51 franklin street fifth floor boston ma 02110 1301 usa extracted by the scancode license scanner the SPDX license identifier GPL-2.0-or-later has been chosen to replace the boilerplate/reference in 23 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190520170857.458548087@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-05-21 02:08:00 +09:00			`/* SPDX-License-Identifier: GPL-2.0-or-later */`
squashfs: add xattr support configure option Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> 2010-05-18 03:39:02 +09:00			`/*`
			`* Squashfs - a compressed read only filesystem for Linux`
			`*`
			`* Copyright (c) 2010`
Squashfs: update email address My existing email address may stop working in a month or two, so update email to one that will continue working. Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> 2011-05-26 18:39:56 +09:00			`* Phillip Lougher <phillip@squashfs.org.uk>`
squashfs: add xattr support configure option Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> 2010-05-18 03:39:02 +09:00			`*`
			`* xattr.h`
			`*/`

Squashfs: Make XATTR config name consistent with other file systems Reported-by: Geert Uytterhoeven <geert@linux-m68k.org> Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> 2010-06-01 02:46:29 +09:00			`#ifdef CONFIG_SQUASHFS_XATTR`
squashfs: add xattr support configure option Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> 2010-05-18 03:39:02 +09:00			`extern __le64 squashfs_read_xattr_id_table(struct super_block , u64,`
Squashfs: fix handling and sanity checking of xattr_ids count commit f65c4bbbd682b0877b669828b4e033b8d5d0a2dc upstream. A Sysbot [1] corrupted filesystem exposes two flaws in the handling and sanity checking of the xattr_ids count in the filesystem. Both of these flaws cause computation overflow due to incorrect typing. In the corrupted filesystem the xattr_ids value is 4294967071, which stored in a signed variable becomes the negative number -225. Flaw 1 (64-bit systems only): The signed integer xattr_ids variable causes sign extension. This causes variable overflow in the SQUASHFS_XATTR_(A) macros. The variable is first multiplied by sizeof(struct squashfs_xattr_id) where the type of the sizeof operator is "unsigned long". On a 64-bit system this is 64-bits in size, and causes the negative number to be sign extended and widened to 64-bits and then become unsigned. This produces the very large number 18446744073709548016 or 2^64 - 3600. This number when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by SQUASHFS_METADATA_SIZE overflows and produces a length of 0 (stored in len). Flaw 2 (32-bit systems only): On a 32-bit system the integer variable is not widened by the unsigned long type of the sizeof operator (32-bits), and the signedness of the variable has no effect due it always being treated as unsigned. The above corrupted xattr_ids value of 4294967071, when multiplied overflows and produces the number 4294963696 or 2^32 - 3400. This number when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by SQUASHFS_METADATA_SIZE overflows again and produces a length of 0. The effect of the 0 length computation: In conjunction with the corrupted xattr_ids field, the filesystem also has a corrupted xattr_table_start value, where it matches the end of filesystem value of 850. This causes the following sanity check code to fail because the incorrectly computed len of 0 matches the incorrect size of the table reported by the superblock (0 bytes). len = SQUASHFS_XATTR_BLOCK_BYTES(xattr_ids); indexes = SQUASHFS_XATTR_BLOCKS(xattr_ids); / * The computed size of the index table (len bytes) should exactly * match the table start and end points / start = table_start + sizeof(id_table); end = msblk->bytes_used; if (len != (end - start)) return ERR_PTR(-EINVAL); Changing the xattr_ids variable to be "usigned int" fixes the flaw on a 64-bit system. This relies on the fact the computation is widened by the unsigned long type of the sizeof operator. Casting the variable to u64 in the above macro fixes this flaw on a 32-bit system. It also means 64-bit systems do not implicitly rely on the type of the sizeof operator to widen the computation. [1] https://lore.kernel.org/lkml/000000000000cd44f005f1a0f17f@google.com/ Link: https://lkml.kernel.org/r/20230127061842.10965-1-phillip@squashfs.org.uk Fixes: 506220d2ba21 ("squashfs: add more sanity checks in xattr id lookup") Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk> Reported-by: <syzbot+082fa4af80a5bb1a9843@syzkaller.appspotmail.com> Cc: Alexey Khoroshilov <khoroshilov@ispras.ru> Cc: Fedor Pchelkin <pchelkin@ispras.ru> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-01-27 15:18:42 +09:00			`u64 , unsigned int );`
squashfs: add xattr support configure option Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> 2010-05-18 03:39:02 +09:00			`extern int squashfs_xattr_lookup(struct super_block , unsigned int, int ,`
Squashfs: fix function prototype The fourth argument should be unsigned. Also add missing include so that the function prototype is defined in xattr_id.c This fixes a couple of sparse warnings. Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> 2010-10-25 08:17:24 +09:00			`unsigned int , unsigned long long );`
squashfs: add xattr support configure option Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> 2010-05-18 03:39:02 +09:00			`#else`
			`static inline __le64 squashfs_read_xattr_id_table(struct super_block sb,`
Squashfs: fix handling and sanity checking of xattr_ids count commit f65c4bbbd682b0877b669828b4e033b8d5d0a2dc upstream. A Sysbot [1] corrupted filesystem exposes two flaws in the handling and sanity checking of the xattr_ids count in the filesystem. Both of these flaws cause computation overflow due to incorrect typing. In the corrupted filesystem the xattr_ids value is 4294967071, which stored in a signed variable becomes the negative number -225. Flaw 1 (64-bit systems only): The signed integer xattr_ids variable causes sign extension. This causes variable overflow in the SQUASHFS_XATTR_(A) macros. The variable is first multiplied by sizeof(struct squashfs_xattr_id) where the type of the sizeof operator is "unsigned long". On a 64-bit system this is 64-bits in size, and causes the negative number to be sign extended and widened to 64-bits and then become unsigned. This produces the very large number 18446744073709548016 or 2^64 - 3600. This number when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by SQUASHFS_METADATA_SIZE overflows and produces a length of 0 (stored in len). Flaw 2 (32-bit systems only): On a 32-bit system the integer variable is not widened by the unsigned long type of the sizeof operator (32-bits), and the signedness of the variable has no effect due it always being treated as unsigned. The above corrupted xattr_ids value of 4294967071, when multiplied overflows and produces the number 4294963696 or 2^32 - 3400. This number when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by SQUASHFS_METADATA_SIZE overflows again and produces a length of 0. The effect of the 0 length computation: In conjunction with the corrupted xattr_ids field, the filesystem also has a corrupted xattr_table_start value, where it matches the end of filesystem value of 850. This causes the following sanity check code to fail because the incorrectly computed len of 0 matches the incorrect size of the table reported by the superblock (0 bytes). len = SQUASHFS_XATTR_BLOCK_BYTES(xattr_ids); indexes = SQUASHFS_XATTR_BLOCKS(xattr_ids); / * The computed size of the index table (len bytes) should exactly * match the table start and end points / start = table_start + sizeof(id_table); end = msblk->bytes_used; if (len != (end - start)) return ERR_PTR(-EINVAL); Changing the xattr_ids variable to be "usigned int" fixes the flaw on a 64-bit system. This relies on the fact the computation is widened by the unsigned long type of the sizeof operator. Casting the variable to u64 in the above macro fixes this flaw on a 32-bit system. It also means 64-bit systems do not implicitly rely on the type of the sizeof operator to widen the computation. [1] https://lore.kernel.org/lkml/000000000000cd44f005f1a0f17f@google.com/ Link: https://lkml.kernel.org/r/20230127061842.10965-1-phillip@squashfs.org.uk Fixes: 506220d2ba21 ("squashfs: add more sanity checks in xattr id lookup") Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk> Reported-by: <syzbot+082fa4af80a5bb1a9843@syzkaller.appspotmail.com> Cc: Alexey Khoroshilov <khoroshilov@ispras.ru> Cc: Fedor Pchelkin <pchelkin@ispras.ru> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-01-27 15:18:42 +09:00			`u64 start, u64 xattr_table_start, unsigned int xattr_ids)`
squashfs: add xattr support configure option Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> 2010-05-18 03:39:02 +09:00			`{`
squashfs: add more sanity checks in id lookup commit f37aa4c7366e23f91b81d00bafd6a7ab54e4a381 upstream. Sysbot has reported a number of "slab-out-of-bounds reads" and "use-after-free read" errors which has been identified as being caused by a corrupted index value read from the inode. This could be because the metadata block is uncompressed, or because the "compression" bit has been corrupted (turning a compressed block into an uncompressed block). This patch adds additional sanity checks to detect this, and the following corruption. 1. It checks against corruption of the ids count. This can either lead to a larger table to be read, or a smaller than expected table to be read. In the case of a too large ids count, this would often have been trapped by the existing sanity checks, but this patch introduces a more exact check, which can identify too small values. 2. It checks the contents of the index table for corruption. Link: https://lkml.kernel.org/r/20210204130249.4495-3-phillip@squashfs.org.uk Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk> Reported-by: syzbot+b06d57ba83f604522af2@syzkaller.appspotmail.com Reported-by: syzbot+c021ba012da41ee9807c@syzkaller.appspotmail.com Reported-by: syzbot+5024636e8b5fd19f0f19@syzkaller.appspotmail.com Reported-by: syzbot+bcbc661df46657d0fa4f@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-02-10 06:41:53 +09:00			`struct squashfs_xattr_id_table *id_table;`

			`id_table = squashfs_read_table(sb, start, sizeof(*id_table));`
			`if (IS_ERR(id_table))`
			`return (__le64 *) id_table;`

			`*xattr_table_start = le64_to_cpu(id_table->xattr_table_start);`
			`kfree(id_table);`

squashfs: add xattr support configure option Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> 2010-05-18 03:39:02 +09:00			`ERROR("Xattrs in filesystem, these will be ignored\n");`
			`return ERR_PTR(-ENOTSUPP);`
			`}`

			`static inline int squashfs_xattr_lookup(struct super_block *sb,`
Squashfs: fix function prototype The fourth argument should be unsigned. Also add missing include so that the function prototype is defined in xattr_id.c This fixes a couple of sparse warnings. Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> 2010-10-25 08:17:24 +09:00			`unsigned int index, int count, unsigned int size,`
squashfs: xattr_lookup sparse fix Sparse detected that unsigned pointer was being passed as int pointer. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> [fixed up to deal with code refactoring] Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> 2010-05-14 08:32:21 +09:00			`unsigned long long *xattr)`
squashfs: add xattr support configure option Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> 2010-05-18 03:39:02 +09:00			`{`
			`return 0;`
			`}`
			`#define squashfs_listxattr NULL`
			`#define squashfs_xattr_handlers NULL`
			`#endif`