Bug#864802: unblock: squashfs-tools/1:4.3-4
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi Release Team,
There are two data corruption bug in squashfs-tools that fixed in the
last upload for Sid. I let it age seven days even if the fixes quite
straightforward.
The first is due to a rare race condition of filesystem
finalization[1] and the fix is to hold the tread lock longer until the
write buffer is put in line on the queue.
+- pthread_mutex_unlock(&fragment_mutex);
+ queue_put(to_writer, write_buffer);
++ pthread_mutex_unlock(&fragment_mutex);
The second is a 2 GB limit in file size in certain conditions as one
place used a wrong (limited in size) variable type. As such, the fix
is the following.
+- int file_size = inode->buf.st_size;
++ off_t file_size = inode->buf.st_size;
An Endless OS developer also confirmed[2] that the fix is correct.
Full debdiff is attached.
Thanks for consideration,
Laszlo/GCS
[1] https://github.com/plougher/squashfs-tools/commit/de03266983ceb62e5365aac84fcd3b2fd4d16e6f
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788185#37
diff -Nru squashfs-tools-4.3/debian/changelog squashfs-tools-4.3/debian/changelog
--- squashfs-tools-4.3/debian/changelog 2015-10-21 20:03:07.000000000 +0000
+++ squashfs-tools-4.3/debian/changelog 2017-06-07 17:47:58.000000000 +0000
@@ -1,3 +1,12 @@
+squashfs-tools (1:4.3-4) unstable; urgency=medium
+
+ * Backport patch to fix rare race in fragment waiting in filesystem
+ finalisation.
+ * Backport fix for 2GB-limit of the is_fragment(...) function
+ (closes: #788185).
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org> Wed, 07 Jun 2017 17:47:58 +0000
+
squashfs-tools (1:4.3-3) unstable; urgency=low
* Use patch from upstream BTS to support LZMA magics (closes: #802446).
diff -Nru squashfs-tools-4.3/debian/patches/0006-uptream-fix-race.patch squashfs-tools-4.3/debian/patches/0006-uptream-fix-race.patch
--- squashfs-tools-4.3/debian/patches/0006-uptream-fix-race.patch 1970-01-01 00:00:00.000000000 +0000
+++ squashfs-tools-4.3/debian/patches/0006-uptream-fix-race.patch 2017-06-07 17:47:58.000000000 +0000
@@ -0,0 +1,54 @@
+commit de03266983ceb62e5365aac84fcd3b2fd4d16e6f
+Author: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Thu Sep 18 01:28:11 2014 +0100
+
+ mksquashfs: fix rare race in fragment waiting in filesystem finalisation
+
+ Fix a rare race condition in fragment waiting when finalising the
+ filesystem. This is a race condition that was initially fixed in 2009,
+ but inadvertantly re-introduced in the latest release when the code
+ was rewritten.
+
+ Background:
+
+ When finalising the filesystem, the main control thread needs to ensure
+ all the in-flight fragments have been queued to the writer thread before
+ asking the writer thread to finish, and then writing the metadata.
+
+ It does this by waiting on the fragments_outstanding counter. Once this
+ counter reaches 0, it synchronises with the writer thread, waiting until
+ the writer thread reports no outstanding data to be written.
+
+ However, the main thread can race with the fragment deflator thread(s)
+ because the fragment deflator thread(s) decrement the fragments_outstanding
+ counter and release the mutex before queueing the compressed fragment
+ to the writer thread, i.e. the offending code is:
+
+ fragments_outstanding --;
+ pthread_mutex_unlock(&fragment_mutex);
+ queue_put(to_writer, write_buffer);
+
+ In extremely rare circumstances, the main thread may see the
+ fragments_outstanding counter is zero before the fragment
+ deflator sends the fragment buffer to the writer thread, and synchronise
+ with the writer thread, and finalise before the fragment has been written.
+
+ The fix is to ensure the fragment is queued to the writer thread
+ before releasing the mutex.
+
+ Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+
+diff --git a/squashfs-tools/mksquashfs.c b/squashfs-tools/mksquashfs.c
+index 87b7d86..f1fcff1 100644
+--- a/squashfs-tools/mksquashfs.c
++++ b/squashfs-tools/mksquashfs.c
+@@ -2445,8 +2445,8 @@ void *frag_deflator(void *arg)
+ write_buffer->block = bytes;
+ bytes += compressed_size;
+ fragments_outstanding --;
+- pthread_mutex_unlock(&fragment_mutex);
+ queue_put(to_writer, write_buffer);
++ pthread_mutex_unlock(&fragment_mutex);
+ TRACE("Writing fragment %lld, uncompressed size %d, "
+ "compressed size %d\n", file_buffer->block,
+ file_buffer->size, compressed_size);
diff -Nru squashfs-tools-4.3/debian/patches/0007-fix-2GB-limit-in-mksquashfs.patch squashfs-tools-4.3/debian/patches/0007-fix-2GB-limit-in-mksquashfs.patch
--- squashfs-tools-4.3/debian/patches/0007-fix-2GB-limit-in-mksquashfs.patch 1970-01-01 00:00:00.000000000 +0000
+++ squashfs-tools-4.3/debian/patches/0007-fix-2GB-limit-in-mksquashfs.patch 2017-06-07 17:47:58.000000000 +0000
@@ -0,0 +1,27 @@
+From 9c1db6d13a51a2e009f0027ef336ce03624eac0d Mon Sep 17 00:00:00 2001
+From: "Guan, Xin" <guanx.bac@gmail.com>
+Date: Sat, 13 Sep 2014 13:15:26 +0200
+Subject: [PATCH] Fix 2GB-limit of the is_fragment(...) function.
+
+Applies to squashfs-tools 4.3.
+
+Reported-by: Bruno Wolff III <bruno@wolff.to>
+Signed-off-by: Guan, Xin <guanx.bac@gmail.com>
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+---
+ squashfs-tools/mksquashfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/squashfs-tools/mksquashfs.c b/squashfs-tools/mksquashfs.c
+index f1fcff1..d221c35 100644
+--- a/squashfs-tools/mksquashfs.c
++++ b/squashfs-tools/mksquashfs.c
+@@ -2055,7 +2055,7 @@ struct file_info *duplicate(long long file_size, long long bytes,
+
+ inline int is_fragment(struct inode_info *inode)
+ {
+- int file_size = inode->buf.st_size;
++ off_t file_size = inode->buf.st_size;
+
+ /*
+ * If this block is to be compressed differently to the
diff -Nru squashfs-tools-4.3/debian/patches/series squashfs-tools-4.3/debian/patches/series
--- squashfs-tools-4.3/debian/patches/series 2015-10-20 10:59:24.000000000 +0000
+++ squashfs-tools-4.3/debian/patches/series 2017-06-07 17:47:58.000000000 +0000
@@ -2,3 +2,5 @@
0002-fix_phys_mem_calculation.patch
0003-CVE-2015-4645_and_CVE-2015-4646.patch
0004-unsquashfs-add-support-for-LZMA-magics.patch
+0006-uptream-fix-race.patch
+0007-fix-2GB-limit-in-mksquashfs.patch
Reply to: