[PATCH] erofs-utils: lib: fix an overflow issue of unmapped extents

Gao Xiang hsiangkao at linux.alibaba.com
Thu Sep 7 13:19:53 AEST 2023


`fuzz_erofsfsck` reports an issue [1] that:

$ fsck/fuzz_erofsfsck t2/erofsfsck_libfuzzer_jUknVp
==430136==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe44a8de02 at pc 0x55932ea3640c bp 0x7ffe44a8b990 sp 0x7ffe44a8b160
WRITE of size 201338902 at 0x7ffe44a8de02 thread T0
    #0 0x55932ea3640b in __asan_memset (/root/erofs-utils/fsck/fuzz_erofsfsck+0xf340b) (BuildId: 0bba6c9ddccb99f520b59bca08a3991a456f7cd4)
    #1 0x55932ea8a8e2 in z_erofs_read_data /root/erofs-utils/lib/data.c:335:4
    #2 0x55932ea8b136 in erofs_pread /root/erofs-utils/lib/data.c:369:10

Here the size should be `length - skip`, otherwise it could cause
buffer overflow.

[1] https://github.com/erofs/erofsnightly/actions/runs/6104429691/job/16566461154

Fixes: 6c20a6afd871 ("erofs-utils: fuse: fix random readlink error")
Signed-off-by: Gao Xiang <hsiangkao at linux.alibaba.com>
---
 lib/data.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/data.c b/lib/data.c
index 662e922..a87053f 100644
--- a/lib/data.c
+++ b/lib/data.c
@@ -332,7 +332,7 @@ static int z_erofs_read_data(struct erofs_inode *inode, char *buffer,
 		}
 
 		if (!(map.m_flags & EROFS_MAP_MAPPED)) {
-			memset(buffer + end - offset, 0, length);
+			memset(buffer + end - offset, 0, length - skip);
 			end = map.m_la;
 			continue;
 		}
-- 
2.24.4



More information about the Linux-erofs mailing list