diff options
| author | Gao Xiang <hsiangkao@linux.alibaba.com> | 2026-04-10 11:48:38 +0300 |
|---|---|---|
| committer | Gao Xiang <hsiangkao@linux.alibaba.com> | 2026-04-10 11:53:39 +0300 |
| commit | a5242d37c83abe86df95c6941e2ace9f9055ffcb (patch) | |
| tree | cadf6f4f5b81939b9cb8e679717f44c04a22b190 | |
| parent | 5c40d2e9e3ce9e81d76773c68756e9b07cce802c (diff) | |
| download | linux-a5242d37c83abe86df95c6941e2ace9f9055ffcb.tar.xz | |
erofs: error out obviously illegal extents in advance
Detect some corrupted extent cases during metadata parsing rather
than letting them result in harmless decompression failures later:
- For full-reference compressed extents, the compressed size must
not exceed the decompressed size, which is a strict on-disk
layout constraint;
- For plain (shifted/interlaced) extents, the decoded size must
not exceed the encoded size, even accounting for partial decoding.
Both ways work but it should be better to report illegal extents as
metadata layout violations rather than deferring as decompression
failure.
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
| -rw-r--r-- | fs/erofs/decompressor.c | 1 | ||||
| -rw-r--r-- | fs/erofs/zmap.c | 24 |
2 files changed, 15 insertions, 10 deletions
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 2b065f8c3f71..3c54e95964c9 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -145,7 +145,6 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && - rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c index 67f55b9b57af..72b96e295716 100644 --- a/fs/erofs/zmap.c +++ b/fs/erofs/zmap.c @@ -473,11 +473,6 @@ static int z_erofs_map_blocks_fo(struct inode *inode, } if (m.headtype == Z_EROFS_LCLUSTER_TYPE_PLAIN) { - if (map->m_llen > map->m_plen) { - DBG_BUGON(1); - err = -EFSCORRUPTED; - goto unmap_out; - } if (vi->z_advise & Z_EROFS_ADVISE_INTERLACED_PCLUSTER) map->m_algorithmformat = Z_EROFS_COMPRESSION_INTERLACED; else @@ -720,10 +715,21 @@ static int z_erofs_map_sanity_check(struct inode *inode, map->m_algorithmformat, map->m_la, EROFS_I(inode)->nid); return -EOPNOTSUPP; } - if (unlikely(map->m_algorithmformat < Z_EROFS_COMPRESSION_MAX && - !(sbi->available_compr_algs & (1 << map->m_algorithmformat)))) { - erofs_err(inode->i_sb, "inconsistent algorithmtype %u for nid %llu", - map->m_algorithmformat, EROFS_I(inode)->nid); + + if (map->m_algorithmformat < Z_EROFS_COMPRESSION_MAX) { + if (sbi->available_compr_algs ^ BIT(map->m_algorithmformat)) { + erofs_err(inode->i_sb, "inconsistent algorithmtype %u for nid %llu", + map->m_algorithmformat, EROFS_I(inode)->nid); + return -EFSCORRUPTED; + } + if (EROFS_MAP_FULL(map->m_flags) && map->m_llen < map->m_plen) { + erofs_err(inode->i_sb, "too much compressed data @ la %llu of nid %llu", + map->m_la, EROFS_I(inode)->nid); + return -EFSCORRUPTED; + } + } else if (map->m_llen > map->m_plen) { + erofs_err(inode->i_sb, "not enough plain data on disk @ la %llu of nid %llu", + map->m_la, EROFS_I(inode)->nid); return -EFSCORRUPTED; } if (unlikely(map->m_plen > Z_EROFS_PCLUSTER_MAX_SIZE || |