[PATCH v3] erofs: validate h_shared_count in erofs_init_inode_xattrs()
Gao Xiang
xiang at kernel.org
Wed Mar 18 03:48:52 AEDT 2026
On Tue, Mar 17, 2026 at 04:41:35PM +0000, Utkal Singh wrote:
> A crafted image can set h_shared_count to a value much larger than
> what xattr_isize allows. The loop in erofs_init_inode_xattrs() then
> reads shared xattr IDs far beyond the inode's xattr region, causing
> an out-of-bounds metadata read.
>
> Add a sanity check ensuring:
>
> h_shared_count <= (xattr_isize - sizeof(erofs_xattr_ibody_header)) / 4
>
> Return -EFSCORRUPTED when the check fails.
>
> Signed-off-by: Utkal Singh <singhutkal015 at gmail.com>
What happens with your v3?
What happens with the commit message and the division?
Could you explain what happened?
Thanks,
Gao Xiang
More information about the Linux-erofs
mailing list