public inbox for linux-erofs@ozlabs.org
 help / color / mirror / Atom feed
* [PATCH v2 0/2] erofs-utils: lib/tar: fix PAX header parsing issues
@ 2026-03-16  6:51 Utkal Singh
  2026-03-16  6:51 ` [PATCH v2 1/2] erofs-utils: lib/tar: skip PAX entries with empty path Utkal Singh
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Utkal Singh @ 2026-03-16  6:51 UTC (permalink / raw)
  To: linux-erofs; +Cc: xiang, yifan.yfzhao, Utkal Singh

These two patches fix input validation bugs in the PAX extended
header parser in lib/tar.c that can trigger crashes on malformed
or crafted tar archives.

Patch 1 skips PAX entries with empty path= value to avoid
out-of-bounds access on zero-length strings.

Patch 2 rejects negative size= values to prevent heap corruption
from incorrect allocation sizes in subsequent operations.

Changes in v2:
  - Fix mixed indentation in patch 2/2 (use tabs, not spaces)

Utkal Singh (2):
  erofs-utils: lib/tar: skip PAX entries with empty path
  erofs-utils: lib/tar: reject negative size= value in PAX header

 lib/tar.c | 7 +++++++
 1 file changed, 7 insertions(+)

-- 
2.43.0



^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH v2 1/2] erofs-utils: lib/tar: skip PAX entries with empty path
  2026-03-16  6:51 [PATCH v2 0/2] erofs-utils: lib/tar: fix PAX header parsing issues Utkal Singh
@ 2026-03-16  6:51 ` Utkal Singh
  2026-03-16  6:51 ` [PATCH v2 2/2] erofs-utils: lib/tar: reject negative size= value in PAX header Utkal Singh
  2026-03-16  7:35 ` [PATCH v2 0/2] erofs-utils: lib/tar: fix PAX header parsing issues Gao Xiang
  2 siblings, 0 replies; 5+ messages in thread
From: Utkal Singh @ 2026-03-16  6:51 UTC (permalink / raw)
  To: linux-erofs; +Cc: xiang, yifan.yfzhao, Utkal Singh

When a PAX extended header contains 'path=' with an empty value,
the computed length becomes zero. The subsequent trailing-slash
removal loop accesses eh->path[j - 1] where j is zero, resulting
in an out-of-bounds read and undefined behavior.

Skip such entries to avoid unsafe pointer arithmetic and invalid
filename handling.

Signed-off-by: Utkal Singh <singhutkal015@gmail.com>
---
 lib/tar.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/tar.c b/lib/tar.c
index 26461f8..be86984 100644
--- a/lib/tar.c
+++ b/lib/tar.c
@@ -510,6 +510,8 @@ int tarerofs_parse_pax_header(struct erofs_iostream *ios,
 
 			if (!strncmp(kv, "path=", sizeof("path=") - 1)) {
 				int j = p - 1 - value;
+				if (!j)
+					continue;
 				free(eh->path);
 				eh->path = strdup(value);
 				while (eh->path[j - 1] == '/')
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [PATCH v2 2/2] erofs-utils: lib/tar: reject negative size= value in PAX header
  2026-03-16  6:51 [PATCH v2 0/2] erofs-utils: lib/tar: fix PAX header parsing issues Utkal Singh
  2026-03-16  6:51 ` [PATCH v2 1/2] erofs-utils: lib/tar: skip PAX entries with empty path Utkal Singh
@ 2026-03-16  6:51 ` Utkal Singh
  2026-03-16  7:35 ` [PATCH v2 0/2] erofs-utils: lib/tar: fix PAX header parsing issues Gao Xiang
  2 siblings, 0 replies; 5+ messages in thread
From: Utkal Singh @ 2026-03-16  6:51 UTC (permalink / raw)
  To: linux-erofs; +Cc: xiang, yifan.yfzhao, Utkal Singh

The PAX extended header size= field is parsed into a signed long
long but no check is made for negative values before assigning to
eh->st.st_size. A crafted PAX header with size=-1 passes the
existing format check, resulting in a negative file size that can
cause incorrect memory allocation and heap corruption in subsequent
read or seek operations.

Add an explicit check to reject negative size= values with -EINVAL.

Signed-off-by: Utkal Singh <singhutkal015@gmail.com>
---
 lib/tar.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/tar.c b/lib/tar.c
index be86984..6fa2cda 100644
--- a/lib/tar.c
+++ b/lib/tar.c
@@ -546,6 +546,11 @@ int tarerofs_parse_pax_header(struct erofs_iostream *ios,
 					ret = -EIO;
 					goto out;
 				}
+				if (lln < 0) {
+					erofs_err("invalid negative size= in PAX header");
+					ret = -EINVAL;
+					goto out;
+				}
 				eh->st.st_size = lln;
 				eh->use_size = true;
 			} else if (!strncmp(kv, "uid=", sizeof("uid=") - 1)) {
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH v2 0/2] erofs-utils: lib/tar: fix PAX header parsing issues
  2026-03-16  6:51 [PATCH v2 0/2] erofs-utils: lib/tar: fix PAX header parsing issues Utkal Singh
  2026-03-16  6:51 ` [PATCH v2 1/2] erofs-utils: lib/tar: skip PAX entries with empty path Utkal Singh
  2026-03-16  6:51 ` [PATCH v2 2/2] erofs-utils: lib/tar: reject negative size= value in PAX header Utkal Singh
@ 2026-03-16  7:35 ` Gao Xiang
  2026-03-16  7:48   ` Utkal Singh
  2 siblings, 1 reply; 5+ messages in thread
From: Gao Xiang @ 2026-03-16  7:35 UTC (permalink / raw)
  To: Utkal Singh, linux-erofs; +Cc: xiang, yifan.yfzhao



On 2026/3/16 14:51, Utkal Singh wrote:
> These two patches fix input validation bugs in the PAX extended
> header parser in lib/tar.c that can trigger crashes on malformed
> or crafted tar archives.
> 
> Patch 1 skips PAX entries with empty path= value to avoid
> out-of-bounds access on zero-length strings.
> 
> Patch 2 rejects negative size= values to prevent heap corruption
> from incorrect allocation sizes in subsequent operations.

Do you have any testcases or reproduciable tar? You can list them
in the compressed-base64 format in the commit message.


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH v2 0/2] erofs-utils: lib/tar: fix PAX header parsing issues
  2026-03-16  7:35 ` [PATCH v2 0/2] erofs-utils: lib/tar: fix PAX header parsing issues Gao Xiang
@ 2026-03-16  7:48   ` Utkal Singh
  0 siblings, 0 replies; 5+ messages in thread
From: Utkal Singh @ 2026-03-16  7:48 UTC (permalink / raw)
  To: Gao Xiang; +Cc: linux-erofs, xiang, yifan.yfzhao

[-- Attachment #1: Type: text/plain, Size: 878 bytes --]

Hi Gao,

Thanks for the review.

I have prepared minimal reproducible tar test cases for both
issues. I will include them in the commit messages in
compressed base64 format and send v3 shortly.

Thanks,
Utkal

On Mon, 16 Mar 2026 at 13:05, Gao Xiang <hsiangkao@linux.alibaba.com> wrote:

>
>
> On 2026/3/16 14:51, Utkal Singh wrote:
> > These two patches fix input validation bugs in the PAX extended
> > header parser in lib/tar.c that can trigger crashes on malformed
> > or crafted tar archives.
> >
> > Patch 1 skips PAX entries with empty path= value to avoid
> > out-of-bounds access on zero-length strings.
> >
> > Patch 2 rejects negative size= values to prevent heap corruption
> > from incorrect allocation sizes in subsequent operations.
>
> Do you have any testcases or reproduciable tar? You can list them
> in the compressed-base64 format in the commit message.
>

[-- Attachment #2: Type: text/html, Size: 1289 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-03-16  7:48 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-16  6:51 [PATCH v2 0/2] erofs-utils: lib/tar: fix PAX header parsing issues Utkal Singh
2026-03-16  6:51 ` [PATCH v2 1/2] erofs-utils: lib/tar: skip PAX entries with empty path Utkal Singh
2026-03-16  6:51 ` [PATCH v2 2/2] erofs-utils: lib/tar: reject negative size= value in PAX header Utkal Singh
2026-03-16  7:35 ` [PATCH v2 0/2] erofs-utils: lib/tar: fix PAX header parsing issues Gao Xiang
2026-03-16  7:48   ` Utkal Singh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox