[PATCH] erofs: fix uninit-value in z_erofs_lz4_decompress
Gao Xiang
hsiangkao at linux.alibaba.com
Sun Dec 31 12:14:11 AEDT 2023
On 2023/12/29 19:09, Edward Adam Davis wrote:
> When LZ4 decompression fails, the number of bytes read from out should be
> inputsize plus the returned overflow value ret.
>
> Reported-and-tested-by: syzbot+6c746eea496f34b3161d at syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis at qq.com>
> ---
> fs/erofs/decompressor.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
> index 021be5feb1bc..8ac3f96676c4 100644
> --- a/fs/erofs/decompressor.c
> +++ b/fs/erofs/decompressor.c
> @@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
> print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
> 16, 1, src + inputmargin, rq->inputsize, true);
> print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
> - 16, 1, out, rq->outputsize, true);
> + 16, 1, out, (ret < 0 && rq->inputsize > 0) ?
> + (ret + rq->inputsize) : rq->outputsize, true);
It's incorrect since output decompressed buffer has no relationship
with `rq->inputsize` and `ret + rq->inputsize` is meaningless too.
Also, the issue was already fixed by avoiding debugging messages as
https://lore.kernel.org/r/20231227151903.2900413-1-hsiangkao@linux.alibaba.com
Thanks,
Gao Xiang
More information about the Linux-erofs
mailing list