From: Utkal Singh <singhutkal015@gmail.com>
To: linux-erofs@lists.ozlabs.org
Cc: hsiangkao@linux.alibaba.com, yifan.yfzhao@foxmail.com,
singhutkal015@gmail.com
Subject: [PATCH v1 1/2] erofs-utils: lib: validate ZSTD frame content size in decompression
Date: Mon, 16 Mar 2026 21:28:46 +0000 [thread overview]
Message-ID: <20260316212847.57030-2-singhutkal015@gmail.com> (raw)
In-Reply-To: <20260316212847.57030-1-singhutkal015@gmail.com>
ZSTD_getFrameContentSize() reads the content size from the ZSTD
frame header in the compressed data. This is untrusted on-disk
metadata, independent from the extent map that provides
rq->decodedlength via z_erofs_map_blocks_iter().
A crafted EROFS image can set the extent map to claim a decoded
length larger than the actual ZSTD frame content size. When this
happens, a buffer of the (smaller) frame content size is allocated
and decompressed into, but the subsequent memcpy copies
rq->decodedlength bytes from it — a potential out-of-bounds read.
Additionally, the ZSTD_getDecompressedSize() legacy fallback
returns 0 for frames without a content size field. This leads to
malloc(0) followed by out-of-bounds access on the returned pointer.
Reject frames where the reported content size is zero or smaller
than the expected decoded length.
Signed-off-by: Utkal Singh <singhutkal015@gmail.com>
---
lib/decompress.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/lib/decompress.c b/lib/decompress.c
index 3e7a173..fb81039 100644
--- a/lib/decompress.c
+++ b/lib/decompress.c
@@ -48,7 +48,14 @@ static int z_erofs_decompress_zstd(struct z_erofs_decompress_req *rq)
#else
total = ZSTD_getDecompressedSize(src + inputmargin,
rq->inputsize - inputmargin);
+ if (!total)
+ return -EFSCORRUPTED;
#endif
+ if (total < rq->decodedlength) {
+ erofs_err("ZSTD frame content size %llu < decoded length %u",
+ total, rq->decodedlength);
+ return -EFSCORRUPTED;
+ }
if (rq->decodedskip || total != rq->decodedlength) {
buff = malloc(total);
if (!buff)
--
2.43.0
next prev parent reply other threads:[~2026-03-16 21:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-16 21:28 [PATCH v1 0/2] erofs-utils: lib: fix ZSTD decompression safety issues Utkal Singh
2026-03-16 21:28 ` Utkal Singh [this message]
2026-03-17 2:10 ` [PATCH v1 1/2] erofs-utils: lib: validate ZSTD frame content size in decompression Gao Xiang
2026-03-17 4:47 ` Utkal Singh
2026-03-16 21:28 ` [PATCH v1 2/2] erofs-utils: lib: return error on ZSTD decompression length mismatch Utkal Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260316212847.57030-2-singhutkal015@gmail.com \
--to=singhutkal015@gmail.com \
--cc=hsiangkao@linux.alibaba.com \
--cc=linux-erofs@lists.ozlabs.org \
--cc=yifan.yfzhao@foxmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox