From: Utkal Singh <singhutkal015@gmail.com>
To: linux-erofs@lists.ozlabs.org
Cc: xiang@kernel.org, Utkal Singh <singhutkal015@gmail.com>
Subject: [PATCH] erofs-utils: lib: validate inode offset bounds in erofs_read_inode_from_disk()
Date: Wed, 4 Mar 2026 18:21:21 +0000 [thread overview]
Message-ID: <20260304182121.44834-1-singhutkal015@gmail.com> (raw)
A crafted EROFS image can contain an out-of-range node ID in directory
entries or the superblock root_nid that causes erofs_iloc() to compute
an inode offset beyond the image size. This leads to out-of-bounds
reads in erofs_read_metabuf(), potentially crashing fsck.erofs,
erofsfuse, or dump.erofs.
Add a bounds check at the start of erofs_read_inode_from_disk() to
verify that the computed inode offset plus the minimum on-disk inode
size (erofs_inode_compact) does not exceed the primary device size.
Return -EFSCORRUPTED if the check fails.
This also deduplicates the erofs_iloc() computation which was
previously evaluated twice.
Signed-off-by: Utkal Singh <singhutkal015@gmail.com>
---
lib/namei.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/lib/namei.c b/lib/namei.c
index 896e348..8a83166 100644
--- a/lib/namei.c
+++ b/lib/namei.c
@@ -25,8 +25,9 @@ static dev_t erofs_new_decode_dev(u32 dev)
int erofs_read_inode_from_disk(struct erofs_inode *vi)
{
struct erofs_sb_info *sbi = vi->sbi;
- erofs_blk_t blkaddr = erofs_blknr(sbi, erofs_iloc(vi));
- unsigned int ofs = erofs_blkoff(sbi, erofs_iloc(vi));
+ erofs_off_t inode_loc = erofs_iloc(vi);
+ erofs_blk_t blkaddr;
+ unsigned int ofs;
bool in_mbox = erofs_inode_in_metabox(vi);
struct erofs_buf buf = __EROFS_BUF_INITIALIZER;
erofs_blk_t addrmask = BIT_ULL(48) - 1;
@@ -36,6 +37,18 @@ int erofs_read_inode_from_disk(struct erofs_inode *vi)
void *ptr;
int err = 0;
+ if (!in_mbox && sbi->primarydevice_blocks &&
+ inode_loc + sizeof(struct erofs_inode_compact) >
+ erofs_pos(sbi, sbi->primarydevice_blocks)) {
+ erofs_err("invalid nid %llu (inode location %llu beyond image size %llu)",
+ vi->nid | 0ULL, inode_loc | 0ULL,
+ erofs_pos(sbi, sbi->primarydevice_blocks) | 0ULL);
+ return -EFSCORRUPTED;
+ }
+
+ blkaddr = erofs_blknr(sbi, inode_loc);
+ ofs = erofs_blkoff(sbi, inode_loc);
+
ptr = erofs_read_metabuf(&buf, sbi, erofs_pos(sbi, blkaddr), in_mbox);
if (IS_ERR(ptr)) {
err = PTR_ERR(ptr);
--
2.43.0
next reply other threads:[~2026-03-04 18:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-04 18:21 Utkal Singh [this message]
2026-03-04 23:45 ` [PATCH] erofs-utils: lib: validate inode offset bounds in erofs_read_inode_from_disk() Gao Xiang
2026-03-04 23:59 ` Gao Xiang
2026-03-05 16:36 ` Utkal Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260304182121.44834-1-singhutkal015@gmail.com \
--to=singhutkal015@gmail.com \
--cc=linux-erofs@lists.ozlabs.org \
--cc=xiang@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox