From nobody Mon Apr  6 23:17:38 2026
Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com
 [209.85.215.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5ECCC3CA49E
	for <linux-kernel@vger.kernel.org>; Tue, 17 Mar 2026 13:24:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773753845; cv=none;
 b=TES+R/ZUIiIQOmJxbDXfmMcajPSEnipywJsYl5OzbwQKbebWipVDwB/whocgJWK8J36OXcSVt/Q3EibV7S9YqxcwrPjhouBeEMETvG+kxJx1Sntto3t6V6+yHv7uJy+TkVv+o0Tvwnq65fUfnQb9ONgkuRhxIrG3LRAfnihIE0o=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773753845; c=relaxed/simple;
	bh=z8G1n5vQc2o04ixmgah5UrTtAJ1uhTrusHN/zYpP0/0=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=m+4qSHqSyEPpeAahaRH6w+dc8cbbTfqiwCw+idZe4C/Mcgrcmwx3pupyy5F/xZdqr3z6XimW/X46VZEmLXJe+Mgl6nG4GnDFaOfGHK0osqs+mx7iAtVNDqMNOEUMPltsBDh2o9hG3NqRVuNJm1lMqgLCLG7ZbMv0kz5GSqpXPsc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=EOOPImTM; arc=none smtp.client-ip=209.85.215.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="EOOPImTM"
Received: by mail-pg1-f182.google.com with SMTP id
 41be03b00d2f7-c70e3eb3af1so197535a12.2
        for <linux-kernel@vger.kernel.org>;
 Tue, 17 Mar 2026 06:24:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1773753843; x=1774358643;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=wDkHRlFyBw3AqbHZfo12ncQp76Cu27YWrL4/LonMVsI=;
        b=EOOPImTMA9lgBOd5D+hv9oIDHL4RQv5tiW82djR/g8R9iVFjnSSB5sL4jxCV4ABLu4
         W4hWAtG85RN3V7uk56hfYP+Uk+cKVOKUNV1fnByGdA3+HTMHCUcEy7rf88Md04EqztSg
         MLICQlgjUDNXDZjMrqW7zt9ilmBhisc+TwrIel3V6FQkr7r4dZOT32OJV9prLLVi8Giq
         COoY+jPfsuJNjCa+GsLSleKE4XJDqPWod91aEwRBkH/ZY696xVfMz+ZAq8a6oRXQRkFz
         50AhPhu77bB51w3+yojIvUnmlHYpH9bMw4fUiLvCDwpzNsyC5x6vBWS1Z9NXC/vbowXn
         38XQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773753843; x=1774358643;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=wDkHRlFyBw3AqbHZfo12ncQp76Cu27YWrL4/LonMVsI=;
        b=NLnSivBNPb31YnC8QB+l/fUflTjY0JaDSImLZyJW3YROjNLQjlLKMP/bBiTUZ/jqgF
         jhC+w5GeN88ExnwZ5ug+JtzUUKOqpJQ4lM3AKXOf+c0GbA5sE7ffAqy6itZYgF80OjC0
         /ZYd+OB+Scl4KNx+R5ee+uLUUCLJ0AFP9DyqADX0dk36BgovihWxoSdldH8/RrutdCEV
         4wSOepD/5W6Gg6YEpDZa7aSrwYxbMCJ3HWKUPFJeuHHq3RE91Uy/ptbMFLPeGFIZIlai
         Oj/a5sg1+Q3i9fnOseTy3NWkbZKLM1baqk+hbXGVzTBc4aRI2YicV+xDUT47TGGmy00c
         klig==
X-Forwarded-Encrypted: i=1;
 AJvYcCXRSUbVuJkqK7j4fp1Wzcd4z3LyNTKaXKkND7owbUVErn6Ioo7XNO0/dYqGlJnMlFZFSqe3pUpHRfSOS2s=@vger.kernel.org
X-Gm-Message-State: AOJu0YwnoWvPUoGNRWPhvw3fhmIQBFHDwomDLAt5GpV0cvAty8M1lJwO
	/QernfFJtD+Swkt/g48lEEDCso34Dhuflw9wBKDeExgm7Zxg0HM3QmFE
X-Gm-Gg: ATEYQzwKvRlF+d15SXEFadQSgX9ltJCWRqNoJm3hVkjXN8hYJ4cAW8lMqqX4v725TQQ
	wdQR8DR/4o/dQlV77ppUKEGZdvdsVSZMPvd2+HUcECcuipJ3WyQjJtgteKvgUKdRWYLW2EeG4jT
	OgfGvvFQFwEkQ+3kKnApX07pz+TDp36svPJGlo2EqgiXyn0gVQ9mbKvh5j8pICSoTH632s/73WO
	pf0qCTd8WVhkZIVhOEzp0/NF6mNYHGR8M0jrTv9tYjhRoSYzgshHyx2wPQKft9xGxjAN8oZgr5p
	7KD8AWpyDQrC+3cpLzNK0K5/b05T7PLYXQcUvvakHxsb2vGRL6NDqqW2O08yK99zT5PRBJcWea4
	lcDd3W35hxBdfGlh6HoqaBSMU69XDEtmTMhKgJy+nSSRlt+I0Ksgr/fEWUUjry4eIZbB5PiNYV6
	WGKM4GgNT1Aq3ImCogBID6hl6khYBXGNSTrGMuIZSowGilHGm83x4BJ0qwbFLso0UZdOmO6YN7e
	kAcxgSOWOvk0ODdXkjxtut4ZetZnPFuqF3amp+PaTkvSBSZ
X-Received: by 2002:a05:6a00:ae09:b0:82a:1589:311b with SMTP id
 d2e1a72fcca58-82a196bb525mr8149373b3a.1.1773753842708;
        Tue, 17 Mar 2026 06:24:02 -0700 (PDT)
Received: from DESKTOP-PU4IGQQ.localdomain ([117.203.246.41])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82a072422desm17215042b3a.1.2026.03.17.06.24.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 17 Mar 2026 06:24:02 -0700 (PDT)
From: Utkal Singh <singhutkal015@gmail.com>
To: linux-erofs@lists.ozlabs.org
Cc: xiang@kernel.org,
	yifan.yfzhao@gmail.com,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	singhutkal015@gmail.com
Subject: [PATCH] erofs: harden h_shared_count in erofs_init_inode_xattrs()
Date: Tue, 17 Mar 2026 13:23:56 +0000
Message-ID: <20260317132356.15341-1-singhutkal015@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

`u8 h_shared_count` indicates the shared xattr count of an inode. It is
read from the on-disk xattr ibody header, which should be corrupted if
the size of the shared xattr array exceeds the space available in
`xattr_isize`.

It does not cause harmful consequence (e.g. crashes), since the image is
already considered corrupted, it indeed results in the silent processing
of garbage metadata.

Let's harden it to report -EFSCORRUPTED earlier.

Fixes: 47e4937a4a7c ("erofs: move erofs out of staging")
Cc: stable@vger.kernel.org
Signed-off-by: Utkal Singh <singhutkal015@gmail.com>
---
 fs/erofs/xattr.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/erofs/xattr.c b/fs/erofs/xattr.c
index c411df5d9dfc..aaac37c6bb78 100644
--- a/fs/erofs/xattr.c
+++ b/fs/erofs/xattr.c
@@ -85,6 +85,14 @@ static int erofs_init_inode_xattrs(struct inode *inode)
 	}
 	vi->xattr_name_filter =3D le32_to_cpu(ih->h_name_filter);
 	vi->xattr_shared_count =3D ih->h_shared_count;
+	if ((u32)vi->xattr_shared_count * sizeof(__le32) >
+	    vi->xattr_isize - sizeof(struct erofs_xattr_ibody_header)) {
+		erofs_err(sb, "invalid h_shared_count %u in nid %llu",
+			  vi->xattr_shared_count, vi->nid);
+		erofs_put_metabuf(&buf);
+		ret =3D -EFSCORRUPTED;
+		goto out_unlock;
+	}
 	vi->xattr_shared_xattrs =3D kmalloc_objs(uint, vi->xattr_shared_count);
 	if (!vi->xattr_shared_xattrs) {
 		erofs_put_metabuf(&buf);
--=20
2.43.0