CVE-2024-26982

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Squashfs: check the inode number is not the invalid value of zero<br /> <br /> Syskiller has produced an out of bounds access in fill_meta_index().<br /> <br /> That out of bounds access is ultimately caused because the inode<br /> has an inode number with the invalid value of zero, which was not checked.<br /> <br /> The reason this causes the out of bounds access is due to following<br /> sequence of events:<br /> <br /> 1. Fill_meta_index() is called to allocate (via empty_meta_index())<br /> and fill a metadata index. It however suffers a data read error<br /> and aborts, invalidating the newly returned empty metadata index.<br /> It does this by setting the inode number of the index to zero,<br /> which means unused (zero is not a valid inode number).<br /> <br /> 2. When fill_meta_index() is subsequently called again on another<br /> read operation, locate_meta_index() returns the previous index<br /> because it matches the inode number of 0. Because this index<br /> has been returned it is expected to have been filled, and because<br /> it hasn&amp;#39;t been, an out of bounds access is performed.<br /> <br /> This patch adds a sanity check which checks that the inode number<br /> is not zero when the inode is created and returns -EINVAL if it is.<br /> <br /> [phillip@squashfs.org.uk: whitespace fix]