* + squashfs-check-xz-dictionary-size-isnt-zero.patch added to mm-nonmm-unstable branch
@ 2026-02-20 0:13 Andrew Morton
0 siblings, 0 replies; only message in thread
From: Andrew Morton @ 2026-02-20 0:13 UTC (permalink / raw)
To: mm-commits, brauner, phillip, akpm
The patch titled
Subject: Squashfs: check xz dictionary size isn't zero
has been added to the -mm mm-nonmm-unstable branch. Its filename is
squashfs-check-xz-dictionary-size-isnt-zero.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/squashfs-check-xz-dictionary-size-isnt-zero.patch
This patch will later appear in the mm-nonmm-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via various
branches at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there most days
------------------------------------------------------
From: Phillip Lougher <phillip@squashfs.org.uk>
Subject: Squashfs: check xz dictionary size isn't zero
Date: Tue, 17 Feb 2026 23:15:37 +0000
Syzkaller reports a "UBSAN: shift-out-of-bounds in squashfs_xz_comp_opts"
This is caused by a zero dict_size value read from disk, which produces a
negative shift.
The fix is to check that the dict_size is not zero.
Link: https://lkml.kernel.org/r/20260217231537.206436-1-phillip@squashfs.org.uk
Fixes: ff750311d30a ("Squashfs: add compression options support to xz decompressor")
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Reported-by: syzbot+99fc070a2affcd27784b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6994c60f.a70a0220.2c38d7.0108.GAE@google.com/
Cc: Christian Brauner <brauner@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
fs/squashfs/xz_wrapper.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/squashfs/xz_wrapper.c~squashfs-check-xz-dictionary-size-isnt-zero
+++ a/fs/squashfs/xz_wrapper.c
@@ -58,9 +58,9 @@ static void *squashfs_xz_comp_opts(struc
opts->dict_size = le32_to_cpu(comp_opts->dictionary_size);
/* the dictionary size should be 2^n or 2^n+2^(n+1) */
- n = ffs(opts->dict_size) - 1;
- if (opts->dict_size != (1 << n) && opts->dict_size != (1 << n) +
- (1 << (n + 1))) {
+ n = ffs(opts->dict_size);
+ if (n-- == 0 || (opts->dict_size != (1 << n) &&
+ opts->dict_size != (1 << n) + (1 << (n + 1)))) {
err = -EIO;
goto out;
}
_
Patches currently in -mm which might be from phillip@squashfs.org.uk are
squashfs-check-metadata-block-offset-is-within-range.patch
squashfs-check-xz-dictionary-size-isnt-zero.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-02-20 0:13 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-20 0:13 + squashfs-check-xz-dictionary-size-isnt-zero.patch added to mm-nonmm-unstable branch Andrew Morton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.