[PATCH] erofs-utils: xattr: validate h_shared_count against xattr_isize

Utkal Singh singhutkal015 at gmail.com
Sun Mar 15 18:19:41 AEDT 2026 

The h_shared_count field in struct erofs_xattr_ibody_header is a raw u8
read directly from the on-disk image without any validation.  The code
currently trusts this value unconditionally:

  vi->xattr_shared_count = ih->h_shared_count;
  vi->xattr_shared_xattrs = malloc(vi->xattr_shared_count * sizeof(uint));

  for (i = 0; i < vi->xattr_shared_count; ++i) {
          it.kaddr = erofs_bread(&it.buf, it.pos, true);
          vi->xattr_shared_xattrs[i] = le32_to_cpu(*(__le32 *)it.kaddr);
          it.pos += sizeof(__le32);
  }

A crafted image with xattr_isize=12 (minimum, header only) and
h_shared_count=50 causes the loop to read 200 bytes past the declared
xattr region into adjacent inode metadata or data blocks.  The harvested
values are later used as raw offsets in erofs_xattr_iter_shared():

  it->pos = erofs_pos(sbi, sbi->xattr_blkaddr) +
            vi->xattr_shared_xattrs[i] * sizeof(__le32);

This creates an arbitrary-read-within-image primitive exploitable via
malicious container images processed by fsck.erofs, erofsfuse, or
dump.erofs.

Fix by validating that all h_shared_count entries fit inside xattr_isize
before allocating or iterating, returning -EFSCORRUPTED on violation.

Signed-off-by: Utkal Singh <singhutkal015 at gmail.com>
---
 lib/xattr.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/lib/xattr.c b/lib/xattr.c
index 565070a..64f3f95 100644
--- a/lib/xattr.c
+++ b/lib/xattr.c
@@ -1182,6 +1182,26 @@ static int erofs_init_inode_xattrs(struct erofs_inode *vi)
 
 	ih = it.kaddr;
 	vi->xattr_shared_count = ih->h_shared_count;
+
+	/*
+	 * Validate that the claimed number of shared xattr index entries
+	 * actually fits within the inode's declared xattr_isize.
+	 * h_shared_count is a raw u8 read from the on-disk image; a crafted
+	 * image could set h_shared_count=255 with xattr_isize=12 (header only),
+	 * causing the loop below to read h_shared_count*4 bytes past the xattr
+	 * region into adjacent inode metadata.  Those harvested values are later
+	 * used as block offsets in erofs_xattr_iter_shared(), making this an
+	 * arbitrary-read-within-image primitive.
+	 */
+	if (vi->xattr_shared_count &&
+	    (unsigned int)vi->xattr_shared_count * sizeof(__le32) >
+	    vi->xattr_isize - sizeof(struct erofs_xattr_ibody_header)) {
+		erofs_err("xattr_shared_count %u exceeds xattr_isize %u for nid %llu",
+			  vi->xattr_shared_count, vi->xattr_isize,
+			  (unsigned long long)vi->nid);
+		erofs_put_metabuf(&it.buf);
+		return -EFSCORRUPTED;
+	}
 	vi->xattr_shared_xattrs = malloc(vi->xattr_shared_count * sizeof(uint));
 	if (!vi->xattr_shared_xattrs) {
 		erofs_put_metabuf(&it.buf);
-- 
2.43.0

More information about the Linux-erofs mailing list