[PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
Gao Xiang
hsiangkao at linux.alibaba.com
Thu Apr 9 20:56:42 AEST 2026
On 2026/4/9 18:38, Junrui Luo wrote:
> Hi Gao Xiang,
>
> Thank you for the review.
>
> On Thu, Apr 09, 2026 at 03:28:21PM +0800, Gao Xiang wrote:
>
>> For this kind of stuff, do you have a reproducer?
>
> I constructed a crafted EROFS image declaring plen=8192 and i_size=4096, giving
> inpages=2 and outpages=1. Tested under QEMU with kernel (v7.0-rc6) plus a temporary
> pr_warn trace in z_erofs_lz4_handle_overlap():
>
> [ 12.889652] erofs: BOUNDARY CHECK: outpages=1 < inpages=2
>
> The image mounts and the decompressor is reached with
> partial_decoding=false and outpages < inpages.
>
>> I'm not sure what you're saying, but I don't think
>> you really understand the entire logic.
>>
>> `m_la + m_llen` should not be page-aligned for typical
>> erofs images, you can just mkfs.erofs -zlz4hc with some
>> file and check it yourself.
>>
>> BTW, I just check upstream, and the inplace branch
>> works prefectly.
>
> During testing I observed that the inplace branch was not entered with
> my crafted image and incorrectly concluded it was structurally unreachable.
> I apologize for the incorrect analysis.
Can you share your initial crafted image binary
with `gzip -9 | base64` encoding here?
I think the proper place to fix this is in
z_erofs_map_sanity_check().
But we only accept patches with proper reproducible
ways (e.g. base64-encoded zipped images or syzbot
link).
Thanks,
Gao Xiang
More information about the Linux-erofs
mailing list