diff options
| author | Utkal Singh <singhutkal015@gmail.com> | 2026-03-17 18:24:39 +0300 |
|---|---|---|
| committer | Gao Xiang <hsiangkao@linux.alibaba.com> | 2026-03-30 05:40:21 +0300 |
| commit | 6a01f5478d208544c8ba5ddbd674ea660f1b7047 (patch) | |
| tree | 168e8476c40f2312a518bfd9c0e468a1f48c4cfc | |
| parent | 7aaa8047eafd0bd628065b15757d9b48c5f9c07d (diff) | |
| download | linux-6a01f5478d208544c8ba5ddbd674ea660f1b7047.tar.xz | |
erofs: harden h_shared_count in erofs_init_inode_xattrs()
`u8 h_shared_count` indicates the shared xattr count of an inode. It is
read from the on-disk xattr ibody header, which should be corrupted if
the size of the shared xattr array exceeds the space available in
`xattr_isize`.
It does not cause harmful consequence (e.g. crashes), since the image is
already considered corrupted, it indeed results in the silent processing
of garbage metadata.
Let's harden it to report -EFSCORRUPTED earlier.
Signed-off-by: Utkal Singh <singhutkal015@gmail.com>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
| -rw-r--r-- | fs/erofs/xattr.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/fs/erofs/xattr.c b/fs/erofs/xattr.c index c411df5d9dfc..41e311019a25 100644 --- a/fs/erofs/xattr.c +++ b/fs/erofs/xattr.c @@ -85,6 +85,14 @@ static int erofs_init_inode_xattrs(struct inode *inode) } vi->xattr_name_filter = le32_to_cpu(ih->h_name_filter); vi->xattr_shared_count = ih->h_shared_count; + if ((u32)vi->xattr_shared_count * sizeof(__le32) > + vi->xattr_isize - sizeof(struct erofs_xattr_ibody_header)) { + erofs_err(sb, "invalid h_shared_count %u @ nid %llu", + vi->xattr_shared_count, vi->nid); + erofs_put_metabuf(&buf); + ret = -EFSCORRUPTED; + goto out_unlock; + } vi->xattr_shared_xattrs = kmalloc_objs(uint, vi->xattr_shared_count); if (!vi->xattr_shared_xattrs) { erofs_put_metabuf(&buf); |