[PATCH v4] erofs: fix the out-of-bounds nameoff handling for trailing dirents
Chao Yu
chao at kernel.org
Tue Apr 21 18:32:00 AEST 2026
On 4/21/2026 3:59 PM, Gao Xiang wrote:
> Currently we already have boundary-checks for nameoffs, but the trailing
> dirents are special since the namelens are calculated with strnlen()
> with unchecked nameoffs.
>
> If a crafted EROFS has a trailing dirent with nameoff >= maxsize,
> maxsize - nameoff can underflow, causing strnlen() to read past the
> directory block.
>
> nameoff0 should also be verified to be a multiple of
> `sizeof(struct erofs_dirent)` as well [1].
>
> [1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com
>
> Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations")
> Fixes: 33bac912840f ("staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()")
> Reported-by: Yuhao Jiang <danisjiang at gmail.com>
> Reported-by: Junrui Luo <moonafterrain at outlook.com>
> Closes: https://lore.kernel.org/r/A0FD7E0F-7558-49B0-8BC8-EB1ECDB2479A@outlook.com
> Cc: stable at vger.kernel.org
> Signed-off-by: Gao Xiang <hsiangkao at linux.alibaba.com>
Reviewed-by: Chao Yu <chao at kernel.org>
Thanks,
More information about the Linux-erofs
mailing list