tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

erofs: harden h_shared_count in erofs_init_inode_xattrs()

`u8 h_shared_count` indicates the shared xattr count of an inode. It is
read from the on-disk xattr ibody header, which should be corrupted if
the size of the shared xattr array exceeds the space available in
`xattr_isize`.

It does not cause harmful consequence (e.g. crashes), since the image is
already considered corrupted, it indeed results in the silent processing
of garbage metadata.

Let's harden it to report -EFSCORRUPTED earlier.

Signed-off-by: Utkal Singh <singhutkal015@gmail.com>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>

authored by

Utkal Singh and committed by
Gao Xiang 6a01f547 7aaa8047

+8
+8
fs/erofs/xattr.c
··· 85 85 } 86 86 vi->xattr_name_filter = le32_to_cpu(ih->h_name_filter); 87 87 vi->xattr_shared_count = ih->h_shared_count; 88 + if ((u32)vi->xattr_shared_count * sizeof(__le32) > 89 + vi->xattr_isize - sizeof(struct erofs_xattr_ibody_header)) { 90 + erofs_err(sb, "invalid h_shared_count %u @ nid %llu", 91 + vi->xattr_shared_count, vi->nid); 92 + erofs_put_metabuf(&buf); 93 + ret = -EFSCORRUPTED; 94 + goto out_unlock; 95 + } 88 96 vi->xattr_shared_xattrs = kmalloc_objs(uint, vi->xattr_shared_count); 89 97 if (!vi->xattr_shared_xattrs) { 90 98 erofs_put_metabuf(&buf);