[PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()

[PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()

[Junrui Luo]

In z_erofs_lz4_handle_overlap(), the index expression
"rq->outpages - rq->inpages + i" is computed in unsigned arithmetic.
If outpages < inpages, the subtraction wraps to a large value and
the subsequent rq->out[] access reads past the decompressed_pages
array.

z_erofs_map_sanity_check() does not enforce m_plen <= m_llen, so a
crafted image declaring m_plen > m_llen can produce outpages < inpages.

The in-place branch is currently unreachable: it requires both
partial_decoding == false and omargin > 0, but these are mutually
exclusive. partial_decoding == false requires pcl->length == m_llen,
which in turn requires (offset + end == m_la + m_llen) where
offset + end is page-aligned from folio boundaries. This forces
m_la + m_llen to be page-aligned, making oend page-aligned and
omargin zero.

Nonetheless, guard the branch with an explicit outpages >= inpages
check so the underflow cannot occur if future changes break this
alignment invariant.

Fixes: 598162d05080 ("erofs: support decompress big pcluster for lz4 backend")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
---
 fs/erofs/decompressor.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
index 3c54e95964c9..2b065f8c3f71 100644
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -145,6 +145,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq,
 	oend = rq->pageofs_out + rq->outputsize;
 	omargin = PAGE_ALIGN(oend) - oend;
 	if (!rq->partial_decoding && may_inplace &&
+	    rq->outpages >= rq->inpages &&
 	    omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) {
 		for (i = 0; i < rq->inpages; ++i)
 			if (rq->out[rq->outpages - rq->inpages + i] !=

---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260409-fixes-9430aaf958d5

Best regards,
-- 
Junrui Luo <moonafterrain@outlook.com>

Re: [PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()

[Gao Xiang]

On 2026/4/9 14:57, Junrui Luo wrote:
> In z_erofs_lz4_handle_overlap(), the index expression
> "rq->outpages - rq->inpages + i" is computed in unsigned arithmetic.
> If outpages < inpages, the subtraction wraps to a large value and
> the subsequent rq->out[] access reads past the decompressed_pages
> array.
> 
> z_erofs_map_sanity_check() does not enforce m_plen <= m_llen, so a
> crafted image declaring m_plen > m_llen can produce outpages < inpages.

For this kind of stuff, do you have a reproducer?

`m_plen > m_llen` can happen on partial decoding only.

> 
> The in-place branch is currently unreachable: it requires both
> partial_decoding == false and omargin > 0, but these are mutually
> exclusive. partial_decoding == false requires pcl->length == m_llen,
> which in turn requires (offset + end == m_la + m_llen) where
> offset + end is page-aligned from folio boundaries. This forces

I'm not sure what you're saying, but I don't think
you really understand the entire logic.

> m_la + m_llen to be page-aligned, making oend page-aligned and
> omargin zero.

`m_la + m_llen` should not be page-aligned for typical
erofs images, you can just mkfs.erofs -zlz4hc with some
file and check it yourself.

BTW, I just check upstream, and the inplace branch
works prefectly.

Thanks,
Gao Xiang

Re: [PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()

[Junrui Luo]

Hi Gao Xiang,

Thank you for the review.
 
On Thu, Apr 09, 2026 at 03:28:21PM +0800, Gao Xiang wrote:

> For this kind of stuff, do you have a reproducer?

I constructed a crafted EROFS image declaring plen=8192 and i_size=4096, giving
inpages=2 and outpages=1. Tested under QEMU with kernel (v7.0-rc6) plus a temporary
pr_warn trace in z_erofs_lz4_handle_overlap():

[   12.889652] erofs: BOUNDARY CHECK: outpages=1 < inpages=2

The image mounts and the decompressor is reached with
partial_decoding=false and outpages < inpages.

> I'm not sure what you're saying, but I don't think
> you really understand the entire logic.
> 
> `m_la + m_llen` should not be page-aligned for typical
> erofs images, you can just mkfs.erofs -zlz4hc with some
> file and check it yourself.
> 
> BTW, I just check upstream, and the inplace branch
> works prefectly.

During testing I observed that the inplace branch was not entered with
my crafted image and incorrectly concluded it was structurally unreachable.
I apologize for the incorrect analysis.

Later, I crafted another image :

	COMPRESSED_FULL layout, h_advise=0x0007 (32-byte extents)
	feature_compat=0, 5 blocks total

	Extent 0: lstart=0,    pstart=4096,  plen=8192 (LZ4)
	Extent 1: lstart=2000, pstart=12288, plen=4096 (LZ4)
	i_size=4096
	Block 0: superblock + inodes + extent records
	Block 1-2: extent 0 compressed data (non-zero padded)
	Block 3: extent 1 compressed data
	Block 4: padding

Mounted with cache_strategy=disabled, reading the file triggers:

[   11.454290] BUG: unable to handle page fault for address: ffffed1100fecf57
[   11.459901] Oops: Oops: 0000 [#1] SMP KASAN NOPTI
[   11.466542] RIP: 0010:z_erofs_lz4_decompress+0x888/0x10f0

Thanks,
Junrui Luo

Re: [PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()

[Gao Xiang]

On 2026/4/9 18:38, Junrui Luo wrote:
> Hi Gao Xiang,
> 
> Thank you for the review.
>   
> On Thu, Apr 09, 2026 at 03:28:21PM +0800, Gao Xiang wrote:
> 
>> For this kind of stuff, do you have a reproducer?
> 
> I constructed a crafted EROFS image declaring plen=8192 and i_size=4096, giving
> inpages=2 and outpages=1. Tested under QEMU with kernel (v7.0-rc6) plus a temporary
> pr_warn trace in z_erofs_lz4_handle_overlap():
> 
> [   12.889652] erofs: BOUNDARY CHECK: outpages=1 < inpages=2
> 
> The image mounts and the decompressor is reached with
> partial_decoding=false and outpages < inpages.
> 
>> I'm not sure what you're saying, but I don't think
>> you really understand the entire logic.
>>
>> `m_la + m_llen` should not be page-aligned for typical
>> erofs images, you can just mkfs.erofs -zlz4hc with some
>> file and check it yourself.
>>
>> BTW, I just check upstream, and the inplace branch
>> works prefectly.
> 
> During testing I observed that the inplace branch was not entered with
> my crafted image and incorrectly concluded it was structurally unreachable.
> I apologize for the incorrect analysis.
Can you share your initial crafted image binary
with `gzip -9 | base64` encoding here?

I think the proper place to fix this is in
z_erofs_map_sanity_check().

But we only accept patches with proper reproducible
ways (e.g. base64-encoded zipped images or syzbot
link).

Thanks,
Gao Xiang

Re: [PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()

[Junrui Luo]

On Thu, Apr 09, 2026 at 06:56:42PM +0800, Gao Xiang wrote:
> Can you share your initial crafted image binary
> with `gzip -9 | base64` encoding here?

$ gzip -9 < /tmp/erofs-test/test.erofs | base64
H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+gdilS
Jo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9iPNtbjhan
04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz2DF/21+20T/l
dgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1wywAAAAAAAADwu14A
TsEYtgBQAAA=

In QEMU:
$ mount -t erofs -o cache_strategy=disabled test.erofs /mnt
$ dd if=/mnt/data of=/dev/null bs=4096 count=1

> I think the proper place to fix this is in
> z_erofs_map_sanity_check().
 
I will resend with the check in
z_erofs_map_sanity_check() instead if the reproducer is acceptable.

Thanks,
Junrui Luo

Re: [PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()

[Gao Xiang]

On 2026/4/9 19:49, Junrui Luo wrote:
> On Thu, Apr 09, 2026 at 06:56:42PM +0800, Gao Xiang wrote:
>> Can you share your initial crafted image binary
>> with `gzip -9 | base64` encoding here?
> 
> $ gzip -9 < /tmp/erofs-test/test.erofs | base64
> H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+gdilS
> Jo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9iPNtbjhan
> 04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz2DF/21+20T/l
> dgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1wywAAAAAAAADwu14A
> TsEYtgBQAAA=
> 
> In QEMU:
> $ mount -t erofs -o cache_strategy=disabled test.erofs /mnt
> $ dd if=/mnt/data of=/dev/null bs=4096 count=1
> 
>> I think the proper place to fix this is in
>> z_erofs_map_sanity_check().
>   
> I will resend with the check in
> z_erofs_map_sanity_check() instead if the reproducer is acceptable.

It's not a very trivial fix without having some more
understanding of EROFS compression codebase, I will
add your `Repored-by:` and try to tidy up the related
code.

Thanks,
Gao Xiang

> 
> Thanks,
> Junrui Luo

Re: [PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()

[Gao Xiang]

Hi Junrui,

On 2026/4/9 14:57, Junrui Luo wrote:
> In z_erofs_lz4_handle_overlap(), the index expression
> "rq->outpages - rq->inpages + i" is computed in unsigned arithmetic.
> If outpages < inpages, the subtraction wraps to a large value and
> the subsequent rq->out[] access reads past the decompressed_pages
> array.
> 
> z_erofs_map_sanity_check() does not enforce m_plen <= m_llen, so a
> crafted image declaring m_plen > m_llen can produce outpages < inpages.
> 
> The in-place branch is currently unreachable: it requires both
> partial_decoding == false and omargin > 0, but these are mutually
> exclusive. partial_decoding == false requires pcl->length == m_llen,
> which in turn requires (offset + end == m_la + m_llen) where
> offset + end is page-aligned from folio boundaries. This forces
> m_la + m_llen to be page-aligned, making oend page-aligned and
> omargin zero.
> 
> Nonetheless, guard the branch with an explicit outpages >= inpages
> check so the underflow cannot occur if future changes break this
> alignment invariant.
> 
> Fixes: 598162d05080 ("erofs: support decompress big pcluster for lz4 backend")
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>

After the second thinking, I think this patch is better for
easy stable backporting since other algorithms can already
handle such case (although we should return earilier in
z_erofs_map_sanity_check() formally), and I will submit a
follow-up patch to revise the related code, but it's not
for backporting.

How about refine the commit message as below:

==============

erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()

Some crafted images can have illegal (!partial_decoding &&
m_llen < m_plen) extents, and the LZ4 inplace decompression path
can be wrongly hit, but it cannot handle (outpages < inpages)
properly: "outpages - inpages" wraps to a large value and
the subsequent rq->out[] access reads past the decompressed_pages
array.

However, such crafted cases can correctly result in a corruption
report in the normal LZ4 non-inplace path.

Let's add an additional check to fix this for backporting.

Reproducible image (base64-encoded gzipped blob):

H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g
dilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i
PNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz
2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w
ywAAAAAAAADwu14ATsEYtgBQAAA=

$ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt
$ dd if=/mnt/data of=/dev/null bs=4096 count=1

Fixes: 598162d05080 ("erofs: support decompress big pcluster for lz4 backend")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>

==============

Could you send a quick v2 for this so I can apply?

Thanks,
Gao Xiang