erofs: avoid infinite loops due to corrupted subpage compact indexes - kernel/linux.git

diff options

author	Gao Xiang <hsiangkao@linux.alibaba.com>	2025-10-17 10:05:38 +0300
committer	Gao Xiang <hsiangkao@linux.alibaba.com>	2025-10-22 02:54:11 +0300
commit	e13d315ae077bb7c3c6027cc292401bc0f4ec683 (patch)
tree	46840f0bd57866bc4d5e2f092bf75cb9ddc6af30 /tools/docs/parse-headers.py
parent	a429b76114aaca3ef1aff4cd469dcf025431bd11 (diff)
download	linux-e13d315ae077bb7c3c6027cc292401bc0f4ec683.tar.xz

erofs: avoid infinite loops due to corrupted subpage compact indexes

Robert reported an infinite loop observed by two crafted images. The root cause is that `clusterofs` can be larger than `lclustersize` for !NONHEAD `lclusters` in corrupted subpage compact indexes, e.g.: blocksize = lclustersize = 512 lcn = 6 clusterofs = 515 Move the corresponding check for full compress indexes to `z_erofs_load_lcluster_from_disk()` to also cover subpage compact compress indexes. It also fixes the position of `m->type >= Z_EROFS_LCLUSTER_TYPE_MAX` check, since it should be placed right after `z_erofs_load_{compact,full}_lcluster()`. Fixes: 8d2517aaeea3 ("erofs: fix up compacted indexes for block size < 4096") Fixes: 1a5223c182fd ("erofs: do sanity check on m->type in z_erofs_load_compact_lcluster()") Reported-by: Robert Morris <rtm@csail.mit.edu> Closes: https://lore.kernel.org/r/35167.1760645886@localhost Reviewed-by: Hongbo Li <lihongbo22@huawei.com> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>

Diffstat (limited to 'tools/docs/parse-headers.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: