[PATCH] erofs-utils: lib: fix an overflow issue of unmapped extents
Gao Xiang
hsiangkao at linux.alibaba.com
Thu Sep 7 13:19:53 AEST 2023
`fuzz_erofsfsck` reports an issue [1] that:
$ fsck/fuzz_erofsfsck t2/erofsfsck_libfuzzer_jUknVp
==430136==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe44a8de02 at pc 0x55932ea3640c bp 0x7ffe44a8b990 sp 0x7ffe44a8b160
WRITE of size 201338902 at 0x7ffe44a8de02 thread T0
#0 0x55932ea3640b in __asan_memset (/root/erofs-utils/fsck/fuzz_erofsfsck+0xf340b) (BuildId: 0bba6c9ddccb99f520b59bca08a3991a456f7cd4)
#1 0x55932ea8a8e2 in z_erofs_read_data /root/erofs-utils/lib/data.c:335:4
#2 0x55932ea8b136 in erofs_pread /root/erofs-utils/lib/data.c:369:10
Here the size should be `length - skip`, otherwise it could cause
buffer overflow.
[1] https://github.com/erofs/erofsnightly/actions/runs/6104429691/job/16566461154
Fixes: 6c20a6afd871 ("erofs-utils: fuse: fix random readlink error")
Signed-off-by: Gao Xiang <hsiangkao at linux.alibaba.com>
---
lib/data.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/data.c b/lib/data.c
index 662e922..a87053f 100644
--- a/lib/data.c
+++ b/lib/data.c
@@ -332,7 +332,7 @@ static int z_erofs_read_data(struct erofs_inode *inode, char *buffer,
}
if (!(map.m_flags & EROFS_MAP_MAPPED)) {
- memset(buffer + end - offset, 0, length);
+ memset(buffer + end - offset, 0, length - skip);
end = map.m_la;
continue;
}
--
2.24.4
More information about the Linux-erofs
mailing list