Lizhi Xu

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A task hang occurs in `vcs open()` during a fuzzing test for `nilfs2` due to an issue where `nilfs find entry()` ignores errors when loading a directory page/folio via `nilfs get folio()` fails. If the filesystem image is corrupted and the `i size` of the directory inode is large, and the directory page/folio is successfully read but fails the sanity check, `nilfs check folio()` may continue to spit out error messages in bursts. The issue is resolved by propagating the error to the callers when loading a page/folio fails in `nilfs find entry()`. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is caused by an uninitialised page, which is ultimately caused by a corrupted symbolic link size read from disk. The reason why the corrupted symlink size causes an uninitialised page is due to the following sequence of events: 1. `squashfs read inode()` is called to read the symbolic link from disk, assigning a corrupted value to `inode->i size`. 2. Later `squashfs symlink read folio()` is called, which assigns this corrupted value to the `length` variable, a signed int that overflows producing a negative number. 3. The loop that fills in the page contents checks that the copied bytes are less than `length`, which being negative means the loop is skipped, producing an uninitialised page. This patch adds a sanity check which checks that the symbolic link size is not larger than expected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.