squashfs: verify inode mode when loading from disk

Tetsuo Handa · akpm00 · commit bc107a619f02 · 2025-09-13T17:32:46.000-07:00
The inode mode loaded from corrupted disk might by error contain the file type bits. Since the file type bits are set by squashfs_read_inode() using bitwise OR, the file type bits must not be set by squashfs_new_inode() from squashfs_read_inode(); otherwise, an invalid file type bits later confuses may_open(). Link: https://lkml.kernel.org/r/f63d8d11-2254-4fc3-9292-9a43a93b374e@I-love.SAKURA.ne.jp Reported-by: syzbot <syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Reviewed-by: Phillip Lougher <phillip@squashfs.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c
@@ -68,6 +68,10 @@ static int squashfs_new_inode(struct super_block *sb, struct inode *inode,
 	inode->i_mode = le16_to_cpu(sqsh_ino->mode);
 	inode->i_size = 0;
 
+	/* File type must not be set at this moment, for it will later be set by the caller. */
+	if (inode->i_mode & S_IFMT)
+		err = -EIO;
+
 	return err;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -68,6 +68,10 @@ static int squashfs_new_inode(struct super_block sb, struct inode inode,`
`68`	`68`	`inode->i_mode = le16_to_cpu(sqsh_ino->mode);`
`69`	`69`	`inode->i_size = 0;`
`70`	`70`
	`71`	`+ /* File type must not be set at this moment, for it will later be set by the caller. */`
	`72`	`+ if (inode->i_mode & S_IFMT)`
	`73`	`+ err = -EIO;`
	`74`	`+`
`71`	`75`	`return err;`
`72`	`76`	`}`
`73`	`77`