[PATCH] erofs-utils: lib: validate inode offset bounds in erofs_read_inode_from_disk()
Gao Xiang
hsiangkao at linux.alibaba.com
Thu Mar 5 10:59:09 AEDT 2026
On 2026/3/5 07:45, Gao Xiang wrote:
>
>
> On 2026/3/5 02:21, Utkal Singh wrote:
>> A crafted EROFS image can contain an out-of-range node ID in directory
>> entries or the superblock root_nid that causes erofs_iloc() to compute
>> an inode offset beyond the image size. This leads to out-of-bounds
>> reads in erofs_read_metabuf(), potentially crashing fsck.erofs,
>> erofsfuse, or dump.erofs.
>
> Do you have a reproducible image?
>
> I think in that way, erofs_io_read or something should fail
> instead, we don't need such check against
> sbi->primarydevice_blocks.
It will return:
<E> erofs: erofs_read_inode_from_disk() Line[42] failed to get inode (nid: 249216) page, err -5
<E> erofs: erofsfsck_check_inode() Line[988] I/O error occurred when reading nid(249216)
I don't think such check is needed, blocks is mainly for statfs
statistics, for dynamic generated EROFS, it could be 0 all the
time.
More information about the Linux-erofs
mailing list