[PATCH erofs-utils 0/2] tar: fix parsing issues for pax and GNU extensions

[PATCH erofs-utils 0/2] tar: fix parsing issues for pax and GNU extensions

[Zhan Xusheng]

This series fixes two issues in tar parsing:

- An out-of-bounds access when trimming PAX path entries
- Missing NULL pointer checks when handling GNU long name/link records

These issues can be triggered by malformed tar archives and may lead
to crashes. The fixes improve robustness when processing untrusted
inputs.

Zhan Xusheng (2):
  erofs-utils: tar: fix out-of-bounds access when trimming pax path
  erofs-utils: tar: add missing NULL checks for GNU long name/link

 lib/tar.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

-- 
2.43.0

[PATCH 1/2] erofs-utils: tar: fix out-of-bounds access when trimming pax path

[Zhan Xusheng]

When a PAX extended header contains a path consisting entirely of '/'
characters (e.g., "path=/"), the trailing-slash trimming loop in
tarerofs_parse_pax_header() decrements j to 0, then accesses
eh->path[-1] which is an out-of-bounds heap read.

The tar header path trimming had a similar issue fixed by commit
dcd06f421003 ("erofs-utils: mkfs: tar: fix SIGSEGV on `/` entry"),
but the PAX header path trimming was not addressed.

Add a j > 0 guard to the while condition.

Fixes: 95d315fd7958 ("erofs-utils: introduce tarerofs")
Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
---
 lib/tar.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/tar.c b/lib/tar.c
index eca29f5..3d92f48 100644
--- a/lib/tar.c
+++ b/lib/tar.c
@@ -509,7 +509,7 @@ int tarerofs_parse_pax_header(struct erofs_iostream *ios,
 				int j = p - 1 - value;
 				free(eh->path);
 				eh->path = strdup(value);
-				while (eh->path[j - 1] == '/')
+				while (j > 0 && eh->path[j - 1] == '/')
 					eh->path[--j] = '\0';
 			} else if (!strncmp(kv, "linkpath=",
 					sizeof("linkpath=") - 1)) {
-- 
2.43.0

Re: [PATCH 1/2] erofs-utils: tar: fix out-of-bounds access when trimming pax path

[Gao Xiang]

Hi,

On 2026/4/14 22:13, Zhan Xusheng wrote:
> When a PAX extended header contains a path consisting entirely of '/'
> characters (e.g., "path=/"), the trailing-slash trimming loop in
> tarerofs_parse_pax_header() decrements j to 0, then accesses
> eh->path[-1] which is an out-of-bounds heap read.
> 
> The tar header path trimming had a similar issue fixed by commit
> dcd06f421003 ("erofs-utils: mkfs: tar: fix SIGSEGV on `/` entry"),
> but the PAX header path trimming was not addressed.
> 
> Add a j > 0 guard to the while condition.
> 
> Fixes: 95d315fd7958 ("erofs-utils: introduce tarerofs")
> Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>

That was addressed by others before: I think I will add
your `Signed-off-by:` into the original patch.

BTW, are you using LLM to discover bugs too?

Thanks,
Gao Xiang

> ---
>   lib/tar.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/tar.c b/lib/tar.c
> index eca29f5..3d92f48 100644
> --- a/lib/tar.c
> +++ b/lib/tar.c
> @@ -509,7 +509,7 @@ int tarerofs_parse_pax_header(struct erofs_iostream *ios,
>   				int j = p - 1 - value;
>   				free(eh->path);
>   				eh->path = strdup(value);
> -				while (eh->path[j - 1] == '/')
> +				while (j > 0 && eh->path[j - 1] == '/')
>   					eh->path[--j] = '\0';
>   			} else if (!strncmp(kv, "linkpath=",
>   					sizeof("linkpath=") - 1)) {

Re: [PATCH erofs-utils 0/2] tar: fix parsing issues for pax and GNU extensions

[Zhan Xusheng]

Hi Gao,

Thanks!

The issue was identified during manual code review. I occasionally
use LLMs to help polish commit messages or double-check wording.

Thanks for adding my Signed-off-by.

Best regards,
Zhan Xusheng

Re: [PATCH erofs-utils 0/2] tar: fix parsing issues for pax and GNU extensions

[Gao Xiang]

Hi Zhan,

On 2026/4/14 22:46, Zhan Xusheng wrote:
> Hi Gao,
> 
> Thanks!
> 
> The issue was identified during manual code review. I occasionally
> use LLMs to help polish commit messages or double-check wording.
> 
> Thanks for adding my Signed-off-by.

For example, this:
https://lore.kernel.org/linux-erofs/20260326125406.61001-1-ch@vnsh.in

I've lost my similiar commits like this,
but I will address them all soon.

Thanks,
Gao Xiang

> 
> Best regards,
> Zhan Xusheng

Re: [PATCH erofs-utils 0/2] tar: fix parsing issues for pax and GNU extensions

[Zhan Xusheng]

Hi Gao,

Thanks for the reference!

I see, that looks like a similar issue. Please feel free to take over
and address them together.

Let me know if I can help with anything.

Best regards,
Zhan Xusheng

[PATCH 2/2] erofs-utils: tar: add missing NULL checks for GNU long name/link

[Zhan Xusheng]

In the GNU long name ('L') and long link ('K') handling, malloc()
return values are not checked.  If st.st_size is excessively large
from a crafted tar header, malloc() fails and returns NULL, then
erofs_iostream_bread() writes to a NULL pointer causing a crash.

Also add the missing PATH_MAX bound check for 'L' entries, which
the 'K' path already had.

Fixes: 95d315fd7958 ("erofs-utils: introduce tarerofs")
Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
---
 lib/tar.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/tar.c b/lib/tar.c
index 3d92f48..24d8314 100644
--- a/lib/tar.c
+++ b/lib/tar.c
@@ -886,7 +886,8 @@ out_eot:
 	case 'L':
 		free(eh.path);
 		eh.path = malloc(st.st_size + 1);
-		if (st.st_size != erofs_iostream_bread(&tar->ios, eh.path,
+		if (!eh.path || st.st_size > PATH_MAX ||
+		    st.st_size != erofs_iostream_bread(&tar->ios, eh.path,
 						       st.st_size))
 			goto invalid_tar;
 		eh.path[st.st_size] = '\0';
@@ -894,8 +895,9 @@ out_eot:
 	case 'K':
 		free(eh.link);
 		eh.link = malloc(st.st_size + 1);
-		if (st.st_size > PATH_MAX || st.st_size !=
-		    erofs_iostream_bread(&tar->ios, eh.link, st.st_size))
+		if (!eh.link || st.st_size > PATH_MAX ||
+		    st.st_size != erofs_iostream_bread(&tar->ios, eh.link,
+						       st.st_size))
 			goto invalid_tar;
 		eh.link[st.st_size] = '\0';
 		goto restart;
-- 
2.43.0