From: Utkal Singh <singhutkal015@gmail.com>
To: hsiangkao@linux.alibaba.com
Cc: linux-erofs@lists.ozlabs.org, Utkal Singh <singhutkal015@gmail.com>
Subject: [PATCH] erofs-utils: xattr: validate h_shared_count against xattr_isize
Date: Sun, 15 Mar 2026 07:19:41 +0000 [thread overview]
Message-ID: <20260315071941.15424-1-singhutkal015@gmail.com> (raw)
The h_shared_count field in struct erofs_xattr_ibody_header is a raw u8
read directly from the on-disk image without any validation. The code
currently trusts this value unconditionally:
vi->xattr_shared_count = ih->h_shared_count;
vi->xattr_shared_xattrs = malloc(vi->xattr_shared_count * sizeof(uint));
for (i = 0; i < vi->xattr_shared_count; ++i) {
it.kaddr = erofs_bread(&it.buf, it.pos, true);
vi->xattr_shared_xattrs[i] = le32_to_cpu(*(__le32 *)it.kaddr);
it.pos += sizeof(__le32);
}
A crafted image with xattr_isize=12 (minimum, header only) and
h_shared_count=50 causes the loop to read 200 bytes past the declared
xattr region into adjacent inode metadata or data blocks. The harvested
values are later used as raw offsets in erofs_xattr_iter_shared():
it->pos = erofs_pos(sbi, sbi->xattr_blkaddr) +
vi->xattr_shared_xattrs[i] * sizeof(__le32);
This creates an arbitrary-read-within-image primitive exploitable via
malicious container images processed by fsck.erofs, erofsfuse, or
dump.erofs.
Fix by validating that all h_shared_count entries fit inside xattr_isize
before allocating or iterating, returning -EFSCORRUPTED on violation.
Signed-off-by: Utkal Singh <singhutkal015@gmail.com>
---
lib/xattr.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/lib/xattr.c b/lib/xattr.c
index 565070a..64f3f95 100644
--- a/lib/xattr.c
+++ b/lib/xattr.c
@@ -1182,6 +1182,26 @@ static int erofs_init_inode_xattrs(struct erofs_inode *vi)
ih = it.kaddr;
vi->xattr_shared_count = ih->h_shared_count;
+
+ /*
+ * Validate that the claimed number of shared xattr index entries
+ * actually fits within the inode's declared xattr_isize.
+ * h_shared_count is a raw u8 read from the on-disk image; a crafted
+ * image could set h_shared_count=255 with xattr_isize=12 (header only),
+ * causing the loop below to read h_shared_count*4 bytes past the xattr
+ * region into adjacent inode metadata. Those harvested values are later
+ * used as block offsets in erofs_xattr_iter_shared(), making this an
+ * arbitrary-read-within-image primitive.
+ */
+ if (vi->xattr_shared_count &&
+ (unsigned int)vi->xattr_shared_count * sizeof(__le32) >
+ vi->xattr_isize - sizeof(struct erofs_xattr_ibody_header)) {
+ erofs_err("xattr_shared_count %u exceeds xattr_isize %u for nid %llu",
+ vi->xattr_shared_count, vi->xattr_isize,
+ (unsigned long long)vi->nid);
+ erofs_put_metabuf(&it.buf);
+ return -EFSCORRUPTED;
+ }
vi->xattr_shared_xattrs = malloc(vi->xattr_shared_count * sizeof(uint));
if (!vi->xattr_shared_xattrs) {
erofs_put_metabuf(&it.buf);
--
2.43.0
reply other threads:[~2026-03-15 7:19 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260315071941.15424-1-singhutkal015@gmail.com \
--to=singhutkal015@gmail.com \
--cc=hsiangkao@linux.alibaba.com \
--cc=linux-erofs@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox