[PATCH] Squashfs: prevent signed integer conversion overflow in get_dir_index_using_name

Next message: Erikas Bitovtas: "[PATCH v5 1/2] dt-bindings: iio: light: vcnl4000: add Capella CM36686 and CM36672P"
Previous message: Andy Shevchenko: "Re: [PATCH 2/2] iio: dac: add support for Microchip MCP48FEB02"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nikola Z. Ivanov

Date: Tue Feb 17 2026 - 07:13:38 EST

Syzkaller reports a "general protection fault in squashfs_copy_data"

This and other cases have already been covered here:
https://lore.kernel.org/all/20260217050955.138351-1-phillip@xxxxxxxxxxxxxxx/T/

However, in this case the culprit for the offset becoming negative
is that we interpret a large le32 as a signed int, which
comes out to be a negative value:

length = le32_to_cpu(index->index);

This happens in the call to get_dir_index_using_name
inside squashfs_lookup.

Later in the same function the arithmetic comes
out negative, as length is negative:

*next_offset = (length + *next_offset) % SQUASHFS_METADATA_SIZE;

Fix this by declaring length as an unsigned int.

Reported-by: syzbot+a9747fe1c35a5b115d3f@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://lore.kernel.org/all/699234e2.a70a0220.2c38d7.00e2.GAE@xxxxxxxxxx/
Signed-off-by: Nikola Z. Ivanov <zlatistiv@xxxxxxxxx>
---
fs/squashfs/namei.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/squashfs/namei.c b/fs/squashfs/namei.c
index 65aae7e2a859..7f1f6d63d89d 100644
--- a/fs/squashfs/namei.c
+++ b/fs/squashfs/namei.c
@@ -65,8 +65,8 @@ static int get_dir_index_using_name(struct super_block *sb,
int index_offset, int i_count, const char *name)
{
struct squashfs_sb_info *msblk = sb->s_fs_info;
- int i, length = 0, err;
- unsigned int size;
+ int i, err;
+ unsigned int size, length = 0;
struct squashfs_dir_index *index;

TRACE("Entered get_dir_index_using_name, i_count %d\n", i_count);
--
2.52.0