From: Utkal Singh <singhutkal015@gmail.com>
To: hsiangkao@linux.alibaba.com
Cc: linux-erofs@lists.ozlabs.org, Utkal Singh <singhutkal015@gmail.com>
Subject: [PATCH] fsck.erofs: xattr: validate h_shared_count before shared entry loop
Date: Sun, 15 Mar 2026 07:38:11 +0000 [thread overview]
Message-ID: <20260315073811.26665-1-singhutkal015@gmail.com> (raw)
The h_shared_count field in erofs_xattr_ibody_header is a raw u8 read
directly from the on-disk image. erofs_verify_xattr() subtracts
h_shared_count * sizeof(erofs_xattr_entry) from 'remaining' without
first checking whether that product fits within the available space:
remaining -= xattr_hdr_size; /* remaining = xattr_isize - 12 */
for (i = 0; i < xattr_shared_count; ++i) {
...
remaining -= xattr_entry_size; /* can go deeply negative */
}
while (remaining > 0) { /* silently skipped! */
/* inline xattr validation never runs */
}
A crafted image with h_shared_count=100 and xattr_isize=12 causes
remaining to reach -400. The subsequent while(remaining > 0) loop
is never entered, so all inline xattr entries are silently skipped
and fsck.erofs reports the image as clean despite corruption.
Fix by checking that h_shared_count * xattr_entry_size does not
exceed the remaining space before the loop, returning -EFSCORRUPTED
on violation.
Signed-off-by: Utkal Singh <singhutkal015@gmail.com>
---
fsck/main.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/fsck/main.c b/fsck/main.c
index 16cc627..a3cd50d 100644
--- a/fsck/main.c
+++ b/fsck/main.c
@@ -378,6 +378,20 @@ static int erofs_verify_xattr(struct erofs_inode *inode)
ofs = erofs_blkoff(sbi, addr) + xattr_hdr_size;
addr += xattr_hdr_size;
remaining -= xattr_hdr_size;
+ /* Validate shared count fits within remaining xattr space.
+ * h_shared_count is a raw u8 from disk; if it exceeds the
+ * available space, remaining goes negative and the inline
+ * xattr validation loop at line 396 is silently skipped,
+ * causing fsck to miss structurally corrupt xattr data.
+ */
+ if ((unsigned int)xattr_shared_count * xattr_entry_size >
+ (unsigned int)remaining) {
+ erofs_err("nid %llu: h_shared_count %u exceeds xattr_isize %u",
+ (unsigned long long)inode->nid,
+ xattr_shared_count, inode->xattr_isize);
+ ret = -EFSCORRUPTED;
+ goto out;
+ }
for (i = 0; i < xattr_shared_count; ++i) {
if (ofs >= erofs_blksiz(sbi)) {
if (ofs != erofs_blksiz(sbi)) {
--
2.43.0
reply other threads:[~2026-03-15 7:38 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260315073811.26665-1-singhutkal015@gmail.com \
--to=singhutkal015@gmail.com \
--cc=hsiangkao@linux.alibaba.com \
--cc=linux-erofs@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox