[PATCH] erofs-utils: mkfs: bound-check s3 passwd_file credentials

Ajay Rajera newajay.11r at gmail.com
Sun Mar 22 14:48:42 AEDT 2026 

Hi,
my review: LGTM.
How to test:
To reproduce the crashes locally and check if the patch works on a
system level, you can compile the erofs-utils project and deliberately
pass maliciously sized credential files to it using the --s3 option.
Test Issue 1: Create test1.txt exactly 515 bytes long. Run mkfs.erofs
--s3=127.0.0.1,passwd_file=test1.txt. Without the patch, ASAN will
report a 1-byte OOB write.
Test Issue 2: Create test2.txt with 300 characters, a colon, and 1
character. Run mkfs.erofs --s3=127.0.0.1,passwd_file=test2.txt.
Without the patch, it will trigger a segmentation fault.

On Sat, 21 Mar 2026 at 23:32, Vansh Choudhary <ch at vnsh.in> wrote:
>
> mkfs_parse_s3_cfg_passwd() only checked the total passwd_file size,
> which left two issues in the parser:
>
> - a file exactly as large as the temporary buffer left no room for the
>   trailing NUL byte;
> - either credential could still exceed its destination buffer after the
>   string is split at ':'.
>
> Use sizeof(buf) for the temporary buffer check and reject overlong
> access key or secret key fields before copying them out.
>
> This keeps the existing parsing flow intact while making the bounds
> checks match the actual destination sizes.
>
> Signed-off-by: Vansh Choudhary <ch at vnsh.in>
> ---
>  mkfs/main.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/mkfs/main.c b/mkfs/main.c
> index 58c18f9..eb13aba 100644
> --- a/mkfs/main.c
> +++ b/mkfs/main.c
> @@ -663,7 +663,7 @@ static int mkfs_parse_s3_cfg_passwd(const char *filepath, char *ak, char *sk)
>                 erofs_warn("passwd_file %s should not be accessible by group or others",
>                            filepath);
>
> -       if (st.st_size > S3_ACCESS_KEY_LEN + S3_SECRET_KEY_LEN + 3) {
> +       if (st.st_size >= sizeof(buf)) {
>                 erofs_err("passwd_file %s is too large (size: %llu)", filepath,
>                           st.st_size | 0ULL);
>                 ret = -EINVAL;
> @@ -687,6 +687,12 @@ static int mkfs_parse_s3_cfg_passwd(const char *filepath, char *ak, char *sk)
>         }
>         *colon = '\0';
>
> +       if (strlen(buf) > S3_ACCESS_KEY_LEN ||
> +           strlen(colon + 1) > S3_SECRET_KEY_LEN) {
> +               ret = -EINVAL;
> +               goto err;
> +       }
> +
>         strcpy(ak, buf);
>         strcpy(sk, colon + 1);
>
> --
> 2.43.0
>
>

More information about the Linux-erofs mailing list