From 4b0180a49f08dd1c681cdc99edc9e0cec0a833fa Mon Sep 17 00:00:00 2001 From: Phillip Lougher Date: Fri, 9 Mar 2012 03:02:59 +0000 Subject: Squashfs: add mount time sanity check for block_size and block_log match Squashfs currently has a sanity check for block_size less than or equal to the maximum block_size (1 Mbyte). This catches some superblock corruption, but obviously with a block_size maximum of 1 Mbyte there's 7 correct values (4K, 8K, 16K, 32K, ... etc) and a lot of incorrect values which are not caught by this check. The Squashfs superblock, however, has both a block_size and a block_log (2^block_log == block_size). Checking that the block_size matches the block_log is a much more robust check. Corruption of the superblock is unlikely to produce values which match, and it also ensures the block_size is an exact power of two. Signed-off-by: Phillip Lougher --- fs/squashfs/super.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'fs/squashfs/super.c') diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c index ecaa2f7..a55a9c5 100644 --- a/fs/squashfs/super.c +++ b/fs/squashfs/super.c @@ -158,10 +158,15 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent) goto failed_mount; } + /* Check block log for sanity */ msblk->block_log = le16_to_cpu(sblk->block_log); if (msblk->block_log > SQUASHFS_FILE_MAX_LOG) goto failed_mount; + /* Check that block_size and block_log match */ + if (msblk->block_size != (1 << msblk->block_log)) + goto failed_mount; + /* Check the root inode for sanity */ root_inode = le64_to_cpu(sblk->root_inode); if (SQUASHFS_INODE_OFFSET(root_inode) > SQUASHFS_METADATA_SIZE) -- cgit v1.1