* [PATCH] erofs-utils: mkfs: fix out-of-bounds memory access in mt-mkfs
@ 2024-03-17 6:45 Yifan Zhao
2024-03-17 7:08 ` Gao Xiang
0 siblings, 1 reply; 2+ messages in thread
From: Yifan Zhao @ 2024-03-17 6:45 UTC (permalink / raw)
To: linux-erofs; +Cc: Yifan Zhao
If a segment is smaller than the block size, sizeof(sctx->membuf) should
be at least as large as the block size, as memory write into the buffer
is done in block size.
Signed-off-by: Yifan Zhao <zhaoyifan@sjtu.edu.cn>
---
lib/compress.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/lib/compress.c b/lib/compress.c
index aeb7013..67a86db 100644
--- a/lib/compress.c
+++ b/lib/compress.c
@@ -1096,11 +1096,12 @@ void z_erofs_mt_workfn(struct erofs_work *work, void *tlsp)
struct erofs_compress_work *cwork = (struct erofs_compress_work *)work;
struct erofs_compress_wq_tls *tls = tlsp;
struct z_erofs_compress_sctx *sctx = &cwork->ctx;
+ struct erofs_sb_info *sbi = sctx->ictx->inode->sbi;
+ erofs_off_t blksz = erofs_blksiz(sbi);
int ret = 0;
- ret = z_erofs_mt_wq_tls_init_compr(sctx->ictx->inode->sbi, tls,
- cwork->alg_id, cwork->alg_name,
- cwork->comp_level,
+ ret = z_erofs_mt_wq_tls_init_compr(sbi, tls, cwork->alg_id,
+ cwork->alg_name, cwork->comp_level,
cwork->dict_size);
if (ret)
goto out;
@@ -1109,7 +1110,7 @@ void z_erofs_mt_workfn(struct erofs_work *work, void *tlsp)
sctx->destbuf = tls->destbuf;
sctx->chandle = &tls->ccfg[cwork->alg_id].handle;
- sctx->membuf = malloc(sctx->remaining);
+ sctx->membuf = malloc(max(blksz, sctx->remaining));
if (!sctx->membuf) {
ret = -ENOMEM;
goto out;
--
2.44.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] erofs-utils: mkfs: fix out-of-bounds memory access in mt-mkfs
2024-03-17 6:45 [PATCH] erofs-utils: mkfs: fix out-of-bounds memory access in mt-mkfs Yifan Zhao
@ 2024-03-17 7:08 ` Gao Xiang
0 siblings, 0 replies; 2+ messages in thread
From: Gao Xiang @ 2024-03-17 7:08 UTC (permalink / raw)
To: Yifan Zhao; +Cc: linux-erofs
On Sun, Mar 17, 2024 at 02:45:09PM +0800, Yifan Zhao wrote:
> If a segment is smaller than the block size, sizeof(sctx->membuf) should
> be at least as large as the block size, as memory write into the buffer
> is done in block size.
>
> Signed-off-by: Yifan Zhao <zhaoyifan@sjtu.edu.cn>
> ---
Folded the following diff into the original patch:
diff --git a/lib/compress.c b/lib/compress.c
index aeb7013..8d88dd1 100644
--- a/lib/compress.c
+++ b/lib/compress.c
@@ -1096,11 +1096,11 @@ void z_erofs_mt_workfn(struct erofs_work *work, void *tlsp)
struct erofs_compress_work *cwork = (struct erofs_compress_work *)work;
struct erofs_compress_wq_tls *tls = tlsp;
struct z_erofs_compress_sctx *sctx = &cwork->ctx;
+ struct erofs_sb_info *sbi = sctx->ictx->inode->sbi;
int ret = 0;
- ret = z_erofs_mt_wq_tls_init_compr(sctx->ictx->inode->sbi, tls,
- cwork->alg_id, cwork->alg_name,
- cwork->comp_level,
+ ret = z_erofs_mt_wq_tls_init_compr(sbi, tls, cwork->alg_id,
+ cwork->alg_name, cwork->comp_level,
cwork->dict_size);
if (ret)
goto out;
@@ -1109,7 +1109,7 @@ void z_erofs_mt_workfn(struct erofs_work *work, void *tlsp)
sctx->destbuf = tls->destbuf;
sctx->chandle = &tls->ccfg[cwork->alg_id].handle;
- sctx->membuf = malloc(sctx->remaining);
+ sctx->membuf = malloc(round_up(sctx->remaining, erofs_blksiz(sbi)));
if (!sctx->membuf) {
ret = -ENOMEM;
goto out;
--
2.30.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-03-17 7:08 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-17 6:45 [PATCH] erofs-utils: mkfs: fix out-of-bounds memory access in mt-mkfs Yifan Zhao
2024-03-17 7:08 ` Gao Xiang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.