From a7dc37d38c8eddcd14008b115e254279bb88bbc1 Mon Sep 17 00:00:00 2001 From: Joao Marcos Costa Date: Fri, 11 Sep 2020 12:21:06 +0200 Subject: [PATCH] fs/squashfs: Fix Coverity Scan defects Fix control flow issues and null pointer dereferences. Signed-off-by: Joao Marcos Costa --- fs/squashfs/sqfs.c | 20 +++++++++++++------- fs/squashfs/sqfs_dir.c | 3 +-- fs/squashfs/sqfs_inode.c | 5 ++++- 3 files changed, 18 insertions(+), 10 deletions(-) diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c index f67f7c4a40..15208b4dab 100644 --- a/fs/squashfs/sqfs.c +++ b/fs/squashfs/sqfs.c @@ -154,7 +154,7 @@ static int sqfs_frag_lookup(u32 inode_fragment_index, header = get_unaligned_le16(metadata_buffer + table_offset); metadata = metadata_buffer + table_offset + SQFS_HEADER_SIZE; - if (!metadata) { + if (!metadata || !header) { ret = -ENOMEM; goto free_buffer; } @@ -434,9 +434,9 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, { struct squashfs_super_block *sblk = ctxt.sblk; char *path, *target, **sym_tokens, *res, *rem; - struct squashfs_ldir_inode *ldir = NULL; int j, ret, new_inode_number, offset; struct squashfs_symlink_inode *sym; + struct squashfs_ldir_inode *ldir; struct squashfs_dir_inode *dir; struct fs_dir_stream *dirsp; struct fs_dirent *dent; @@ -448,8 +448,8 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, table = sqfs_find_inode(dirs->inode_table, le32_to_cpu(sblk->inodes), sblk->inodes, sblk->block_size); - /* root is a regular directory, not an extended one */ dir = (struct squashfs_dir_inode *)table; + ldir = (struct squashfs_ldir_inode *)table; /* get directory offset in directory table */ offset = sqfs_dir_offset(table, m_list, m_count); @@ -1146,7 +1146,10 @@ static int sqfs_get_regfile_info(struct squashfs_reg_inode *reg, finfo->start = get_unaligned_le32(®->start_block); finfo->frag = SQFS_IS_FRAGMENTED(get_unaligned_le32(®->fragment)); - if (finfo->size < 1 || finfo->offset < 0 || finfo->start < 0) + if (finfo->frag && finfo->offset == 0xFFFFFFFF) + return -EINVAL; + + if (finfo->size < 1 || finfo->start == 0xFFFFFFFF) return -EINVAL; if (finfo->frag) { @@ -1156,7 +1159,7 @@ static int sqfs_get_regfile_info(struct squashfs_reg_inode *reg, if (ret < 0) return -EINVAL; finfo->comp = true; - if (fentry->size < 1 || fentry->start < 0) + if (fentry->size < 1 || fentry->start == 0x7FFFFFFF) return -EINVAL; } else { datablk_count = DIV_ROUND_UP(finfo->size, le32_to_cpu(blksz)); @@ -1181,7 +1184,10 @@ static int sqfs_get_lregfile_info(struct squashfs_lreg_inode *lreg, finfo->start = get_unaligned_le64(&lreg->start_block); finfo->frag = SQFS_IS_FRAGMENTED(get_unaligned_le32(&lreg->fragment)); - if (finfo->size < 1 || finfo->offset < 0 || finfo->start < 0) + if (finfo->frag && finfo->offset == 0xFFFFFFFF) + return -EINVAL; + + if (finfo->size < 1 || finfo->start == 0x7FFFFFFF) return -EINVAL; if (finfo->frag) { @@ -1191,7 +1197,7 @@ static int sqfs_get_lregfile_info(struct squashfs_lreg_inode *lreg, if (ret < 0) return -EINVAL; finfo->comp = true; - if (fentry->size < 1 || fentry->start < 0) + if (fentry->size < 1 || fentry->start == 0x7FFFFFFF) return -EINVAL; } else { datablk_count = DIV_ROUND_UP(finfo->size, le32_to_cpu(blksz)); diff --git a/fs/squashfs/sqfs_dir.c b/fs/squashfs/sqfs_dir.c index 00d2891e7d..a265b98fe6 100644 --- a/fs/squashfs/sqfs_dir.c +++ b/fs/squashfs/sqfs_dir.c @@ -34,8 +34,7 @@ int sqfs_dir_offset(void *dir_i, u32 *m_list, int m_count) struct squashfs_ldir_inode *ldir; struct squashfs_dir_inode *dir; u32 start_block; - u16 offset; - int j; + int j, offset; switch (get_unaligned_le16(&base->inode_type)) { case SQFS_DIR_TYPE: diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c index 1387779a85..1368f3063c 100644 --- a/fs/squashfs/sqfs_inode.c +++ b/fs/squashfs/sqfs_inode.c @@ -142,8 +142,11 @@ int sqfs_read_metablock(unsigned char *file_mapping, int offset, u16 header; data = file_mapping + offset; + if (!data) + return -EFAULT; + header = get_unaligned((u16 *)data); - if (!header || !data) + if (!header) return -EINVAL; *compressed = SQFS_COMPRESSED_METADATA(header); -- 2.39.5