CVE-2024-46744

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Squashfs: sanity check symbolic link size<br /> <br /> Syzkiller reports a "KMSAN: uninit-value in pick_link" bug.<br /> <br /> This is caused by an uninitialised page, which is ultimately caused<br /> by a corrupted symbolic link size read from disk.<br /> <br /> The reason why the corrupted symlink size causes an uninitialised<br /> page is due to the following sequence of events:<br /> <br /> 1. squashfs_read_inode() is called to read the symbolic<br /> link from disk. This assigns the corrupted value<br /> 3875536935 to inode-&gt;i_size.<br /> <br /> 2. Later squashfs_symlink_read_folio() is called, which assigns<br /> this corrupted value to the length variable, which being a<br /> signed int, overflows producing a negative number.<br /> <br /> 3. The following loop that fills in the page contents checks that<br /> the copied bytes is less than length, which being negative means<br /> the loop is skipped, producing an uninitialised page.<br /> <br /> This patch adds a sanity check which checks that the symbolic<br /> link size is not larger than expected.<br /> <br /> --<br /> <br /> V2: fix spelling mistake.