1. Patchew
  2. linux
  3. View series

[PATCH] erofs: harden h_shared_count in erofs_init_inode_xattrs()

Utkal Singh posted 1 patch 2 weeks, 6 days ago
There is a newer version of this series
fs/erofs/xattr.c | 8 ++++++++
1 file changed, 8 insertions(+)
[PATCH] erofs: harden h_shared_count in erofs_init_inode_xattrs()
Posted by Utkal Singh 2 weeks, 6 days ago 
`u8 h_shared_count` indicates the shared xattr count of an inode. It is
read from the on-disk xattr ibody header, which should be corrupted if
the size of the shared xattr array exceeds the space available in
`xattr_isize`.

It does not cause harmful consequence (e.g. crashes), since the image is
already considered corrupted, it indeed results in the silent processing
of garbage metadata.

Let's harden it to report -EFSCORRUPTED earlier.

Fixes: 47e4937a4a7c ("erofs: move erofs out of staging")
Cc: stable@vger.kernel.org
Signed-off-by: Utkal Singh <singhutkal015@gmail.com>
---
 fs/erofs/xattr.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/erofs/xattr.c b/fs/erofs/xattr.c
index c411df5d9dfc..aaac37c6bb78 100644
--- a/fs/erofs/xattr.c
+++ b/fs/erofs/xattr.c
@@ -85,6 +85,14 @@ static int erofs_init_inode_xattrs(struct inode *inode)
 	}
 	vi->xattr_name_filter = le32_to_cpu(ih->h_name_filter);
 	vi->xattr_shared_count = ih->h_shared_count;
+	if ((u32)vi->xattr_shared_count * sizeof(__le32) >
+	    vi->xattr_isize - sizeof(struct erofs_xattr_ibody_header)) {
+		erofs_err(sb, "invalid h_shared_count %u in nid %llu",
+			  vi->xattr_shared_count, vi->nid);
+		erofs_put_metabuf(&buf);
+		ret = -EFSCORRUPTED;
+		goto out_unlock;
+	}
 	vi->xattr_shared_xattrs = kmalloc_objs(uint, vi->xattr_shared_count);
 	if (!vi->xattr_shared_xattrs) {
 		erofs_put_metabuf(&buf);
-- 
2.43.0
Re: [PATCH] erofs: harden h_shared_count in erofs_init_inode_xattrs()
Posted by Gao Xiang 2 weeks, 6 days ago 

On 2026/3/17 21:23, Utkal Singh wrote:
> `u8 h_shared_count` indicates the shared xattr count of an inode. It is
> read from the on-disk xattr ibody header, which should be corrupted if
> the size of the shared xattr array exceeds the space available in
> `xattr_isize`.
> 
> It does not cause harmful consequence (e.g. crashes), since the image is
> already considered corrupted, it indeed results in the silent processing
> of garbage metadata.
> 
> Let's harden it to report -EFSCORRUPTED earlier.
> 
> Fixes: 47e4937a4a7c ("erofs: move erofs out of staging")
> Cc: stable@vger.kernel.org

No, please drop the Fixes and Cc since it should not be a bugfix.

Thanks,
Gao Xiang

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.