[PATCH v3] erofs-utils: lib: validate h_shared_count in erofs_init_inode_xattrs()

Gao Xiang hsiangkao at linux.alibaba.com
Tue Mar 17 22:57:36 AEDT 2026 


On 2026/3/17 19:30, Utkal Singh wrote:
> h_shared_count is read from the on-disk xattr ibody header and used
> to size a heap allocation and drive a loop reading shared xattr IDs.
> If the value is corrupted to exceed the space available in xattr_isize,
> the loop reads past the ibody region and the malloc is oversized.
> 
> This does not affect system stability but results in silently
> processing garbage data from corrupted images across all library
> consumers (dump.erofs, erofsfuse, rebuild).
> 
> Validate h_shared_count against the available ibody space.
> Return -EFSCORRUPTED on failure.
> 
> Reproducer:
>    mkdir testdir && echo hello > testdir/a.txt
>    setfattr -n user.test -v val testdir/a.txt
>    mkfs.erofs test.img testdir
>    # corrupt h_shared_count (offset = nid*32 + inode_size + 4) to 0xFF
>    # then: fsck.erofs --extract=/tmp/out --xattrs test_corrupted.img
>    # Without patch: silently processes invalid shared xattr IDs
>    # With patch: returns -EFSCORRUPTED

Let's try to rephrase the commit message a bit:

Subject: erofs-utils: lib: harden h_shared_count in erofs_init_inode_xattrs()

`u8 h_shared_count` indicates the shared xattr count of an inode. It is
read from the on-disk xattr ibody header, which should be corrupted if
the size of the shared xattr array exceeds the space available in
`xattr_isize`.

It does not cause harmful consequence (e.g. crashes), since the image is
already considered corrupted, it indeed results in the silent processing
of garbage metadata.

Let's harden it to report -EFSCORRUPTED earlier.

Reproducer:
   mkdir testdir && echo hello > testdir/a.txt
   setfattr -n user.test -v val testdir/a.txt
   mkfs.erofs test.img testdir
   # corrupt h_shared_count (offset = nid*32 + inode_size + 4) to 0xFF
   # then: fsck.erofs --extract=/tmp/out --xattrs test_corrupted.img
   # Without patch: silently processes invalid shared xattr IDs
   # With patch: returns -EFSCORRUPTED

Also are you interested in submitting a kernel patch as well? You need
to get the latest erofs -fixes branch, and port this one into the kernel.

If you don't have enough experience on this for now, I could help you
submit one immediately, and I will Cc you as well.

Thanks,
Gao Xiang

> 
> Signed-off-by: Utkal Singh <singhutkal015 at gmail.com>
> ---
>   lib/xattr.c | 7 +++++++
>   1 file changed, 7 insertions(+)
> 
> diff --git a/lib/xattr.c b/lib/xattr.c
> index 565070a..9d52a18 100644
> --- a/lib/xattr.c
> +++ b/lib/xattr.c
> @@ -1182,6 +1182,13 @@ static int erofs_init_inode_xattrs(struct erofs_inode *vi)
>   
>   	ih = it.kaddr;
>   	vi->xattr_shared_count = ih->h_shared_count;
> +	if (vi->xattr_shared_count * sizeof(__le32) >
> +	    vi->xattr_isize - sizeof(struct erofs_xattr_ibody_header)) {
> +		erofs_err("invalid h_shared_count %u in nid %llu",
> +			  vi->xattr_shared_count, vi->nid | 0ULL);
> +		erofs_put_metabuf(&it.buf);
> +		return -EFSCORRUPTED;
> +	}
>   	vi->xattr_shared_xattrs = malloc(vi->xattr_shared_count * sizeof(uint));
>   	if (!vi->xattr_shared_xattrs) {
>   		erofs_put_metabuf(&it.buf);

More information about the Linux-erofs mailing list