[PATCH v2] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
Gao Xiang
hsiangkao at linux.alibaba.com
Fri Apr 10 00:21:25 AEST 2026
On 2026/4/9 21:59, Junrui Luo wrote:
> Some crafted images can have illegal (!partial_decoding &&
> m_llen < m_plen) extents, and the LZ4 inplace decompression path
> can be wrongly hit, but it cannot handle (outpages < inpages)
> properly: "outpages - inpages" wraps to a large value and
> the subsequent rq->out[] access reads past the decompressed_pages
> array.
>
> However, such crafted cases can correctly result in a corruption
> report in the normal LZ4 non-inplace path.
>
> Let's add an additional check to fix this for backporting.
>
> Reproducible image (base64-encoded gzipped blob):
>
> H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g
> dilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i
> PNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz
> 2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w
> ywAAAAAAAADwu14ATsEYtgBQAAA=
>
> $ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt
> $ dd if=/mnt/data of=/dev/null bs=4096 count=1
>
> Fixes: 598162d05080 ("erofs: support decompress big pcluster for lz4 backend")
> Reported-by: Yuhao Jiang <danisjiang at gmail.com>
> Cc: stable at vger.kernel.org
> Signed-off-by: Junrui Luo <moonafterrain at outlook.com>
Thanks for catching this:
Reviewed-by: Gao Xiang <hsiangkao at linux.alibaba.com>
Thanks,
Gao Xiang
More information about the Linux-erofs
mailing list