Linux Kernel Squashfs Metadata Block Offset Vulnerability Leading to Out-of-Bounds Access

A vulnerability in the Linux kernel's Squashfs implementation allows for out-of-bounds access due to improper handling of metadata block offsets. This issue arises when a corrupted index look-up table generates a negative offset, which is then passed to the 'squashfs_copy_data' function via 'squashfs_read_metadata'. The negative offset causes a general protection fault by accessing memory out of the allowed bounds. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a general protection fault, leading to a crash of the affected process or system.

Reproduction

The vulnerability can be reproduced by manipulating the Squashfs index look-up table to create a negative metadata block offset. This can be done using a fuzzing tool like Syzkaller, which has reported the issue. The negative offset will be passed to 'squashfs_copy_data' through 'squashfs_read_metadata', causing an out-of-bounds access and a general protection fault.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The official Linux kernel Git repository can be used to download the patched version.