[PATCH] erofs-utils: lib: switch ZSTD decompression to streaming API
Utkal Singh
singhutkal015 at gmail.com
Mon Mar 23 16:22:57 AEDT 2026
The current ZSTD decompression path calls ZSTD_getFrameContentSize()
(or legacy ZSTD_getDecompressedSize()) to read the decompressed size
from the ZSTD frame header, then malloc()s a buffer of that size.
This is problematic because the frame content size field is untrusted
on-disk metadata; a crafted EROFS image can set it to an arbitrarily
large value, triggering a large allocation before any real validation
occurs.
The Linux kernel's erofs ZSTD decompressor does not use
ZSTD_getFrameContentSize() at all. It uses ZSTD_decompressStream(),
which decompresses directly into a caller-supplied buffer whose size
is already known from the extent map.
Align erofs-utils with the kernel:
- Use rq->decodedlength (from the trusted extent map) to size the
output buffer, removing the dependency on the on-disk frame header.
- Replace ZSTD_decompress() with ZSTD_createDStream(),
ZSTD_initDStream(), and ZSTD_decompressStream().
- Remove the HAVE_ZSTD_GETFRAMECONTENTSIZE ifdef block entirely.
- For the decodedskip case, allocate a temporary buffer of exactly
rq->decodedlength (not the untrusted frame size).
Suggested-by: Gao Xiang <hsiangkao at linux.alibaba.com>
Signed-off-by: Utkal Singh <singhutkal015 at gmail.com>
---
lib/decompress.c | 76 +++++++++++++++++++++++++++++-------------------
1 file changed, 46 insertions(+), 30 deletions(-)
diff --git a/lib/decompress.c b/lib/decompress.c
index e66693c..19cde03 100644
--- a/lib/decompress.c
+++ b/lib/decompress.c
@@ -28,57 +28,73 @@ static unsigned int z_erofs_fixup_insize(const u8 *padbuf, unsigned int padbufsi
/* also a very preliminary userspace version */
static int z_erofs_decompress_zstd(struct z_erofs_decompress_req *rq)
{
- int ret = 0;
+ ZSTD_DStream *dstream;
+ ZSTD_inBuffer in;
+ ZSTD_outBuffer out;
char *dest = rq->out;
char *src = rq->in;
char *buff = NULL;
- unsigned int inputmargin = 0;
- unsigned long long total;
+ unsigned int inputmargin;
+ size_t ret;
+ int err = 0;
inputmargin = z_erofs_fixup_insize((u8 *)src, rq->inputsize);
if (inputmargin >= rq->inputsize)
return -EFSCORRUPTED;
-#ifdef HAVE_ZSTD_GETFRAMECONTENTSIZE
- total = ZSTD_getFrameContentSize(src + inputmargin,
- rq->inputsize - inputmargin);
- if (total == ZSTD_CONTENTSIZE_UNKNOWN ||
- total == ZSTD_CONTENTSIZE_ERROR)
- return -EFSCORRUPTED;
-#else
- total = ZSTD_getDecompressedSize(src + inputmargin,
- rq->inputsize - inputmargin);
-#endif
- if (rq->decodedskip || total != rq->decodedlength) {
- buff = malloc(total);
+ if (rq->decodedskip) {
+ buff = malloc(rq->decodedlength);
if (!buff)
return -ENOMEM;
dest = buff;
}
- ret = ZSTD_decompress(dest, total,
- src + inputmargin, rq->inputsize - inputmargin);
+ dstream = ZSTD_createDStream();
+ if (!dstream) {
+ err = -ENOMEM;
+ goto out_free_buff;
+ }
+
+ ZSTD_initDStream(dstream);
+
+ in.src = src + inputmargin;
+ in.size = rq->inputsize - inputmargin;
+ in.pos = 0;
+
+ out.dst = dest;
+ out.size = rq->decodedlength;
+ out.pos = 0;
+
+ ret = ZSTD_decompressStream(dstream, &out, &in);
if (ZSTD_isError(ret)) {
- erofs_err("ZSTD decompress failed %d: %s", ZSTD_getErrorCode(ret),
- ZSTD_getErrorName(ret));
- ret = -EIO;
- goto out;
+ erofs_err("ZSTD decompress failed: %s", ZSTD_getErrorName(ret));
+ err = -EFSCORRUPTED;
+ goto out_free_dstream;
}
- if (ret != (int)total) {
- erofs_err("ZSTD decompress length mismatch %d, expected %d",
- ret, total);
- ret = -EIO;
- goto out;
+ if (ret != 0) {
+ erofs_err("ZSTD frame not fully decoded");
+ err = -EFSCORRUPTED;
+ goto out_free_dstream;
+ }
+
+ if (out.pos != rq->decodedlength) {
+ erofs_err("ZSTD decompress length mismatch: got %zu, expected %u",
+ out.pos, rq->decodedlength);
+ err = -EFSCORRUPTED;
+ goto out_free_dstream;
}
- if (rq->decodedskip || total != rq->decodedlength)
+
+ if (rq->decodedskip)
memcpy(rq->out, dest + rq->decodedskip,
rq->decodedlength - rq->decodedskip);
- ret = 0;
-out:
+
+out_free_dstream:
+ ZSTD_freeDStream(dstream);
+out_free_buff:
if (buff)
free(buff);
- return ret;
+ return err;
}
#endif
--
2.43.0
More information about the Linux-erofs
mailing list