Ubuntu
squashfs-tools package

Buffer overflow adding to archive with pseudo file at '/'

Bug #1745757 reported by Matthew Fearnley
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
squashfs-tools (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Description: Ubuntu 16.04.3 LTS
Release: 16.04
squashfs-tools: Installed: 1:4.3-3ubuntu2.16.04.1

mksquashfs can create a filesystem with a pseudo file at '/', but unsquashfs doesn't like the result, and mksquashfs crashes trying to add to it.

$ rm /tmp/crash.sfs

$ mksquashfs /tmp/empty /tmp/crash.sfs -p "/ f 444 root root echo"
Parallel mksquashfs: Using 4 processors
Creating 4.0 filesystem on /tmp/crash.sfs, block size 131072.
[===================================================================|] 1/1 100%

Exportable Squashfs 4.0 filesystem, gzip compressed, data block size 131072
 compressed data, compressed metadata, compressed fragments, compressed xattrs
 duplicates are removed
Filesystem size 0.22 Kbytes (0.00 Mbytes)
 92.37% of uncompressed filesystem size (0.24 Kbytes)
Inode table size 45 bytes (0.04 Kbytes)
 68.18% of uncompressed inode table size (66 bytes)
Directory table size 20 bytes (0.02 Kbytes)
 90.91% of uncompressed directory table size (22 bytes)
Number of duplicate files found 0
Number of inodes 2
Number of files 1
Number of fragments 1
Number of symbolic links 0
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 1
Number of ids (unique uids + gids) 2
Number of uids 2
 root (0)
 matthew (1000)
Number of gids 2
 root (0)
 matthew (1000)

$ unsquashfs -i /tmp/crash.sfs
Parallel unsquashfs: Using 4 processors
0 inodes (0 blocks) to write

dir_scan: failed to read directory squashfs-root, skipping

created 0 files
created 0 directories
created 0 symlinks
created 0 devices
created 0 fifos

$ mksquashfs /tmp/empty /tmp/crash.sfs
Found a valid exportable SQUASHFS superblock on /tmp/crash.sfs.
 Compression used gzip
 Inodes are compressed
 Data is compressed
 Fragments are compressed
 Xattrs are compressed
 Fragments are present in the filesystem
 Always-use-fragments option is not specified
 Duplicates are removed
 Xattrs are stored
 Filesystem size 0.22 Kbytes (0.00 Mbytes)
 Block size 131072
 Number of fragments 1
 Number of inodes 2
 Number of ids 2

Parallel mksquashfs: Using 4 processors
Scanning existing filesystem...
Read existing filesystem, 1 inodes scanned
*** buffer overflow detected ***: mksquashfs terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f828fe667e5]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f828ff0815c]
/lib/x86_64-linux-gnu/libc.so.6(+0x117160)[0x7f828ff06160]
mksquashfs[0x40febc]
mksquashfs[0x4107fd]
mksquashfs[0x404374]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f828fe0f830]
mksquashfs[0x405399]
======= Memory map: ========
00400000-0042a000 r-xp 00000000 08:08 304275 /usr/bin/mksquashfs
00629000-0062a000 r--p 00029000 08:08 304275 /usr/bin/mksquashfs
0062a000-0062b000 rw-p 0002a000 08:08 304275 /usr/bin/mksquashfs
0062b000-00cac000 rw-p 00000000 00:00 0
016d5000-0174f000 rw-p 00000000 00:00 0 [heap]
7f8254000000-7f8254043000 rw-p 00000000 00:00 0
7f8254043000-7f8258000000 ---p 00000000 00:00 0
7f8258000000-7f8258121000 rw-p 00000000 00:00 0
7f8258121000-7f825c000000 ---p 00000000 00:00 0
7f825c000000-7f825c063000 rw-p 00000000 00:00 0
7f825c063000-7f8260000000 ---p 00000000 00:00 0
7f8262ffe000-7f8262fff000 ---p 00000000 00:00 0
7f8262fff000-7f82637ff000 rw-p 00000000 00:00 0
7f82637ff000-7f8263800000 ---p 00000000 00:00 0
7f8263800000-7f8264000000 rw-p 00000000 00:00 0
7f8264000000-7f8264043000 rw-p 00000000 00:00 0
7f8264043000-7f8268000000 ---p 00000000 00:00 0
7f8268000000-7f8268121000 rw-p 00000000 00:00 0
7f8268121000-7f826c000000 ---p 00000000 00:00 0
7f826c000000-7f826c121000 rw-p 00000000 00:00 0
7f826c121000-7f8270000000 ---p 00000000 00:00 0
7f8270000000-7f8270063000 rw-p 00000000 00:00 0
7f8270063000-7f8274000000 ---p 00000000 00:00 0
7f8274000000-7f8274063000 rw-p 00000000 00:00 0
7f8274063000-7f8278000000 ---p 00000000 00:00 0
7f8278000000-7f8278043000 rw-p 00000000 00:00 0
7f8278043000-7f827c000000 ---p 00000000 00:00 0
7f827c000000-7f827c121000 rw-p 00000000 00:00 0
7f827c121000-7f8280000000 ---p 00000000 00:00 0
7f8280000000-7f8280043000 rw-p 00000000 00:00 0
7f8280043000-7f8284000000 ---p 00000000 00:00 0
7f82847f9000-7f82847fa000 ---p 00000000 00:00 0
7f82847fa000-7f8284ffa000 rw-p 00000000 00:00 0
7f8284ffa000-7f8284ffb000 ---p 00000000 00:00 0
7f8284ffb000-7f82857fb000 rw-p 00000000 00:00 0
7f82857fb000-7f82857fc000 ---p 00000000 00:00 0
7f82857fc000-7f8285ffc000 rw-p 00000000 00:00 0
7f8285ffc000-7f8285ffd000 ---p 00000000 00:00 0
7f8285ffd000-7f82867fd000 rw-p 00000000 00:00 0
7f82867fd000-7f82867fe000 ---p 00000000 00:00 0
7f82867fe000-7f8286ffe000 rw-p 00000000 00:00 0
7f8286ffe000-7f8286fff000 ---p 00000000 00:00 0
7f8286fff000-7f82877ff000 rw-p 00000000 00:00 0
7f82877ff000-7f8287800000 ---p 00000000 00:00 0
7f8287800000-7f8288000000 rw-p 00000000 00:00 0
7f8288000000-7f8288063000 rw-p 00000000 00:00 0
7f8288063000-7f828c000000 ---p 00000000 00:00 0
7f828c04b000-7f828c061000 r-xp 00000000 08:08 270119 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f828c061000-7f828c260000 ---p 00016000 08:08 270119 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f828c260000-7f828c261000 rw-p 00015000 08:08 270119 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f828c261000-7f828c262000 ---p 00000000 00:00 0
7f828c262000-7f828ca62000 rw-p 00000000 00:00 0
7f828ca62000-7f828ca63000 ---p 00000000 00:00 0
7f828ca63000-7f828d263000 rw-p 00000000 00:00 0
7f828d263000-7f828d264000 ---p 00000000 00:00 0
7f828d264000-7f828da64000 rw-p 00000000 00:00 0
7f828da64000-7f828da65000 ---p 00000000 00:00 0
7f828da65000-7f828e265000 rw-p 00000000 00:00 0
7f828e265000-7f828e266000 ---p 00000000 00:00 0
7f828e266000-7f828ea66000 rw-p 00000000 00:00 0
7f828ea66000-7f828ea67000 ---p 00000000 00:00 0
7f828ea67000-7f828f267000 rw-p 00000000 00:00 0
7f828f267000-7f828f268000 ---p 00000000 00:00 0
7f828f268000-7f828fbeb000 rw-p 00000000 00:00 0
7f828fbeb000-7f828fbee000 r-xp 00000000 08:08 265670 /lib/x86_64-linux-gnu/libdl-2.23.so
7f828fbee000-7f828fded000 ---p 00003000 08:08 265670 /lib/x86_64-linux-gnu/libdl-2.23.so
7f828fded000-7f828fdee000 r--p 00002000 08:08 265670 /lib/x86_64-linux-gnu/libdl-2.23.so
7f828fdee000-7f828fdef000 rw-p 00003000 08:08 265670 /lib/x86_64-linux-gnu/libdl-2.23.so
7f828fdef000-7f828ffaf000 r-xp 00000000 08:08 265647 /lib/x86_64-linux-gnu/libc-2.23.so
7f828ffaf000-7f82901af000 ---p 001c0000 08:08 265647 /lib/x86_64-linux-gnu/libc-2.23.so
7f82901af000-7f82901b3000 r--p 001c0000 08:08 265647 /lib/x86_64-linux-gnu/libc-2.23.so
7f82901b3000-7f82901b5000 rw-p 001c4000 08:08 265647 /lib/x86_64-linux-gnu/libc-2.23.so
7f82901b5000-7f82901b9000 rw-p 00000000 00:00 0
7f82901b9000-7f82901d0000 r-xp 00000000 08:08 402485 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1
7f82901d0000-7f82903cf000 ---p 00017000 08:08 402485 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1
7f82903cf000-7f82903d0000 r--p 00016000 08:08 402485 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1
7f82903d0000-7f82903d1000 rw-p 00017000 08:08 402485 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1
7f82903d1000-7f82903f2000 r-xp 00000000 08:08 270150 /lib/x86_64-linux-gnu/liblzo2.so.2.0.0
7f82903f2000-7f82905f1000 ---p 00021000 08:08 270150 /lib/x86_64-linux-gnu/liblzo2.so.2.0.0
7f82905f1000-7f82905f2000 r--p 00020000 08:08 270150 /lib/x86_64-linux-gnu/liblzo2.so.2.0.0
7f82905f2000-7f82905f3000 rw-p 00021000 08:08 270150 /lib/x86_64-linux-gnu/liblzo2.so.2.0.0
7f82905f3000-7f8290614000 r-xp 00000000 08:08 270148 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
7f8290614000-7f8290813000 ---p 00021000 08:08 270148 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
7f8290813000-7f8290814000 r--p 00020000 08:08 270148 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
7f8290814000-7f8290815000 rw-p 00021000 08:08 270148 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
7f8290815000-7f829082e000 r-xp 00000000 08:08 272161 /lib/x86_64-linux-gnu/libz.so.1.2.8
7f829082e000-7f8290a2d000 ---p 00019000 08:08 272161 /lib/x86_64-linux-gnu/libz.so.1.2.8
7f8290a2d000-7f8290a2e000 r--p 00018000 08:08 272161 /lib/x86_64-linux-gnu/libz.so.1.2.8
7f8290a2e000-7f8290a2f000 rw-p 00019000 08:08 272161 /lib/x86_64-linux-gnu/libz.so.1.2.8
7f8290a2f000-7f8290b37000 r-xp 00000000 08:08 264070 /lib/x86_64-linux-gnu/libm-2.23.so
7f8290b37000-7f8290d36000 ---p 00108000 08:08 264070 /lib/x86_64-linux-gnu/libm-2.23.so
7f8290d36000-7f8290d37000 r--p 00107000 08:08 264070 /lib/x86_64-linux-gnu/libm-2.23.so
7f8290d37000-7f8290d38000 rw-p 00108000 08:08 264070 /lib/x86_64-linux-gnu/libm-2.23.so
7f8290d38000-7f8290d50000 r-xp 00000000 08:08 265643 /lib/x86_64-linux-gnu/libpthread-2.23.so
7f8290d50000-7f8290f4f000 ---p 00018000 08:08 265643 /lib/x86_64-linux-gnu/libpthread-2.23.so
7f8290f4f000-7f8290f50000 r--p 00017000 08:08 265643 /lib/x86_64-linux-gnu/libpthread-2.23.so
7f8290f50000-7f8290f51000 rw-p 00018000 08:08 265643 /lib/x86_64-linux-gnu/libpthread-2.23.so
7f8290f51000-7f8290f55000 rw-p 00000000 00:00 0
7f8290f55000-7f8290f7b000 r-xp 00000000 08:08 265638 /lib/x86_64-linux-gnu/ld-2.23.so
7f8290fcb000-7f8291154000 rw-p 00000000 00:00 0
7f8291179000-7f829117a000 rw-p 00000000 00:00 0
7f829117a000-7f829117b000 r--p 00025000 08:08 265638 /lib/x86_64-linux-gnu/ld-2.23.so
7f829117b000-7f829117c000 rw-p 00026000 08:08 265638 /lib/x86_64-linux-gnu/ld-2.23.so
7f829117c000-7f829117d000 rw-p 00000000 00:00 0
7ffdab4c5000-7ffdab4e7000 rw-p 00000000 00:00 0 [stack]
7ffdab557000-7ffdab55a000 r--p 00000000 00:00 0 [vvar]
7ffdab55a000-7ffdab55c000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted (core dumped)

Revision history for this message
Matthew Fearnley (matthew-w-fearnley) wrote :

I'm not an expert, but I tried running the current GitHub source through a debugger.

The problematic line seems to be in read_fs.c:

https://github.com/plougher/squashfs-tools/blob/7d7f2da27d5c39de89c5fae61eb611666f297c03/squashfs-tools/read_fs.c#L678

 memcpy(dire->name, directory_table + bytes,
  dire->size + 1);

dire->size is 65535.

I'm attaching the 'crash.sfs' file I created (with mksquashfs -p '/ f 444 root root echo').

(If the crash.sfs file itself is invalid, I guess that's a separate issue.)

Revision history for this message
Matthew Fearnley (matthew-w-fearnley) wrote :

I filed a separate Issue on GitHub: https://github.com/plougher/squashfs-tools/issues/50
I believe the problems were fixed in these two commits:

https://github.com/plougher/squashfs-tools/commit/c249ba3bbdb41034f6027f93d590a8ea06d32c75
mksquashfs: add filesystem corruption checks when reading filesystem

https://github.com/plougher/squashfs-tools/commit/26e4babf09aba71b3e65b082069d74b6696ee8db
pseudo: Don't allow filenames consisting only of "/"s to be used

Revision history for this message
Matthew Fearnley (matthew-w-fearnley) wrote :

Tested the mksquashfs command in version 4.4 (2019/08/29) on Ubuntu 20.04.
It now says: Not enough or invalid arguments in pseudo file definition "/ f 444 root root echo"

Appending to the archive now reports "File system corrupted: filename too long" and fails gracefully.

Listing the archive also reports the corruption, and fails earlier with "FATAL ERROR:dir_scan: failed to read directory squashfs-root"

Changed in squashfs-tools (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.