[PATCH v3] erofs: validate h_shared_count in erofs_init_inode_xattrs()

[Utkal Singh]

A crafted image can set h_shared_count to a value much larger than
what xattr_isize allows. The loop in erofs_init_inode_xattrs() then
reads shared xattr IDs far beyond the inode's xattr region, causing
an out-of-bounds metadata read.

Add a sanity check ensuring:

  h_shared_count <= (xattr_isize - sizeof(erofs_xattr_ibody_header)) / 4

Return -EFSCORRUPTED when the check fails.

Signed-off-by: Utkal Singh <singhutkal015 at gmail.com>
---
v3:
 - use local variable sb instead of inode->i_sb in erofs_err()
   to match existing code style in erofs_init_inode_xattrs()
 - confirmed compile-tested with make fs/erofs/xattr.o
v2:
 - initial patch with bounds check against xattr_isize

 fs/erofs/xattr.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fs/erofs/xattr.c b/fs/erofs/xattr.c
index c411df5d9dfc..af16cf634a01 100644
--- a/fs/erofs/xattr.c
+++ b/fs/erofs/xattr.c
@@ -85,6 +85,15 @@ static int erofs_init_inode_xattrs(struct inode *inode)
 	}
 	vi->xattr_name_filter = le32_to_cpu(ih->h_name_filter);
 	vi->xattr_shared_count = ih->h_shared_count;
+	if (vi->xattr_shared_count >
+	    (vi->xattr_isize - sizeof(struct erofs_xattr_ibody_header)) /
+	    sizeof(__le32)) {
+		erofs_err(sb,
+			  "bogus h_shared_count %u for nid %llu",
+			  vi->xattr_shared_count, vi->nid);
+		ret = -EFSCORRUPTED;
+		goto out_unlock;
+	}
 	vi->xattr_shared_xattrs = kmalloc_objs(uint, vi->xattr_shared_count);
 	if (!vi->xattr_shared_xattrs) {
 		erofs_put_metabuf(&buf);
-- 
2.43.0