* [PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
@ 2026-04-09 6:57 Junrui Luo
2026-04-09 7:28 ` Gao Xiang
0 siblings, 1 reply; 5+ messages in thread
From: Junrui Luo @ 2026-04-09 6:57 UTC (permalink / raw)
To: Gao Xiang, Chao Yu, Yue Hu, Jeffle Xu, Sandeep Dhavale, Hongbo Li,
Chunhai Guo
Cc: linux-erofs, linux-kernel, Yuhao Jiang, stable, Junrui Luo
In z_erofs_lz4_handle_overlap(), the index expression
"rq->outpages - rq->inpages + i" is computed in unsigned arithmetic.
If outpages < inpages, the subtraction wraps to a large value and
the subsequent rq->out[] access reads past the decompressed_pages
array.
z_erofs_map_sanity_check() does not enforce m_plen <= m_llen, so a
crafted image declaring m_plen > m_llen can produce outpages < inpages.
The in-place branch is currently unreachable: it requires both
partial_decoding == false and omargin > 0, but these are mutually
exclusive. partial_decoding == false requires pcl->length == m_llen,
which in turn requires (offset + end == m_la + m_llen) where
offset + end is page-aligned from folio boundaries. This forces
m_la + m_llen to be page-aligned, making oend page-aligned and
omargin zero.
Nonetheless, guard the branch with an explicit outpages >= inpages
check so the underflow cannot occur if future changes break this
alignment invariant.
Fixes: 598162d05080 ("erofs: support decompress big pcluster for lz4 backend")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
---
fs/erofs/decompressor.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
index 3c54e95964c9..2b065f8c3f71 100644
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -145,6 +145,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq,
oend = rq->pageofs_out + rq->outputsize;
omargin = PAGE_ALIGN(oend) - oend;
if (!rq->partial_decoding && may_inplace &&
+ rq->outpages >= rq->inpages &&
omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) {
for (i = 0; i < rq->inpages; ++i)
if (rq->out[rq->outpages - rq->inpages + i] !=
---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260409-fixes-9430aaf958d5
Best regards,
--
Junrui Luo <moonafterrain@outlook.com>
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2026-04-09 6:57 [PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Junrui Luo
@ 2026-04-09 7:28 ` Gao Xiang
2026-04-09 10:38 ` Junrui Luo
0 siblings, 1 reply; 5+ messages in thread
From: Gao Xiang @ 2026-04-09 7:28 UTC (permalink / raw)
To: Junrui Luo, Gao Xiang, Chao Yu, Yue Hu, Jeffle Xu,
Sandeep Dhavale, Hongbo Li, Chunhai Guo
Cc: linux-erofs, linux-kernel, Yuhao Jiang, stable
On 2026/4/9 14:57, Junrui Luo wrote:
> In z_erofs_lz4_handle_overlap(), the index expression
> "rq->outpages - rq->inpages + i" is computed in unsigned arithmetic.
> If outpages < inpages, the subtraction wraps to a large value and
> the subsequent rq->out[] access reads past the decompressed_pages
> array.
>
> z_erofs_map_sanity_check() does not enforce m_plen <= m_llen, so a
> crafted image declaring m_plen > m_llen can produce outpages < inpages.
For this kind of stuff, do you have a reproducer?
`m_plen > m_llen` can happen on partial decoding only.
>
> The in-place branch is currently unreachable: it requires both
> partial_decoding == false and omargin > 0, but these are mutually
> exclusive. partial_decoding == false requires pcl->length == m_llen,
> which in turn requires (offset + end == m_la + m_llen) where
> offset + end is page-aligned from folio boundaries. This forces
I'm not sure what you're saying, but I don't think
you really understand the entire logic.
> m_la + m_llen to be page-aligned, making oend page-aligned and
> omargin zero.
`m_la + m_llen` should not be page-aligned for typical
erofs images, you can just mkfs.erofs -zlz4hc with some
file and check it yourself.
BTW, I just check upstream, and the inplace branch
works prefectly.
Thanks,
Gao Xiang
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2026-04-09 7:28 ` Gao Xiang
@ 2026-04-09 10:38 ` Junrui Luo
2026-04-09 10:56 ` Gao Xiang
0 siblings, 1 reply; 5+ messages in thread
From: Junrui Luo @ 2026-04-09 10:38 UTC (permalink / raw)
To: Gao Xiang
Cc: Gao Xiang, Chao Yu, Yue Hu, Jeffle Xu, Sandeep Dhavale, Hongbo Li,
Chunhai Guo, linux-erofs@lists.ozlabs.org,
linux-kernel@vger.kernel.org, Yuhao Jiang, stable@vger.kernel.org
Hi Gao Xiang,
Thank you for the review.
On Thu, Apr 09, 2026 at 03:28:21PM +0800, Gao Xiang wrote:
> For this kind of stuff, do you have a reproducer?
I constructed a crafted EROFS image declaring plen=8192 and i_size=4096, giving
inpages=2 and outpages=1. Tested under QEMU with kernel (v7.0-rc6) plus a temporary
pr_warn trace in z_erofs_lz4_handle_overlap():
[ 12.889652] erofs: BOUNDARY CHECK: outpages=1 < inpages=2
The image mounts and the decompressor is reached with
partial_decoding=false and outpages < inpages.
> I'm not sure what you're saying, but I don't think
> you really understand the entire logic.
>
> `m_la + m_llen` should not be page-aligned for typical
> erofs images, you can just mkfs.erofs -zlz4hc with some
> file and check it yourself.
>
> BTW, I just check upstream, and the inplace branch
> works prefectly.
During testing I observed that the inplace branch was not entered with
my crafted image and incorrectly concluded it was structurally unreachable.
I apologize for the incorrect analysis.
Later, I crafted another image :
COMPRESSED_FULL layout, h_advise=0x0007 (32-byte extents)
feature_compat=0, 5 blocks total
Extent 0: lstart=0, pstart=4096, plen=8192 (LZ4)
Extent 1: lstart=2000, pstart=12288, plen=4096 (LZ4)
i_size=4096
Block 0: superblock + inodes + extent records
Block 1-2: extent 0 compressed data (non-zero padded)
Block 3: extent 1 compressed data
Block 4: padding
Mounted with cache_strategy=disabled, reading the file triggers:
[ 11.454290] BUG: unable to handle page fault for address: ffffed1100fecf57
[ 11.459901] Oops: Oops: 0000 [#1] SMP KASAN NOPTI
[ 11.466542] RIP: 0010:z_erofs_lz4_decompress+0x888/0x10f0
Thanks,
Junrui Luo
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2026-04-09 10:38 ` Junrui Luo
@ 2026-04-09 10:56 ` Gao Xiang
2026-04-09 11:49 ` Junrui Luo
0 siblings, 1 reply; 5+ messages in thread
From: Gao Xiang @ 2026-04-09 10:56 UTC (permalink / raw)
To: Junrui Luo
Cc: Gao Xiang, Chao Yu, Yue Hu, Jeffle Xu, Sandeep Dhavale, Hongbo Li,
Chunhai Guo, linux-erofs@lists.ozlabs.org,
linux-kernel@vger.kernel.org, Yuhao Jiang, stable@vger.kernel.org
On 2026/4/9 18:38, Junrui Luo wrote:
> Hi Gao Xiang,
>
> Thank you for the review.
>
> On Thu, Apr 09, 2026 at 03:28:21PM +0800, Gao Xiang wrote:
>
>> For this kind of stuff, do you have a reproducer?
>
> I constructed a crafted EROFS image declaring plen=8192 and i_size=4096, giving
> inpages=2 and outpages=1. Tested under QEMU with kernel (v7.0-rc6) plus a temporary
> pr_warn trace in z_erofs_lz4_handle_overlap():
>
> [ 12.889652] erofs: BOUNDARY CHECK: outpages=1 < inpages=2
>
> The image mounts and the decompressor is reached with
> partial_decoding=false and outpages < inpages.
>
>> I'm not sure what you're saying, but I don't think
>> you really understand the entire logic.
>>
>> `m_la + m_llen` should not be page-aligned for typical
>> erofs images, you can just mkfs.erofs -zlz4hc with some
>> file and check it yourself.
>>
>> BTW, I just check upstream, and the inplace branch
>> works prefectly.
>
> During testing I observed that the inplace branch was not entered with
> my crafted image and incorrectly concluded it was structurally unreachable.
> I apologize for the incorrect analysis.
Can you share your initial crafted image binary
with `gzip -9 | base64` encoding here?
I think the proper place to fix this is in
z_erofs_map_sanity_check().
But we only accept patches with proper reproducible
ways (e.g. base64-encoded zipped images or syzbot
link).
Thanks,
Gao Xiang
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2026-04-09 10:56 ` Gao Xiang
@ 2026-04-09 11:49 ` Junrui Luo
0 siblings, 0 replies; 5+ messages in thread
From: Junrui Luo @ 2026-04-09 11:49 UTC (permalink / raw)
To: Gao Xiang
Cc: Gao Xiang, Chao Yu, Yue Hu, Jeffle Xu, Sandeep Dhavale, Hongbo Li,
Chunhai Guo, linux-erofs@lists.ozlabs.org,
linux-kernel@vger.kernel.org, Yuhao Jiang, stable@vger.kernel.org
On Thu, Apr 09, 2026 at 06:56:42PM +0800, Gao Xiang wrote:
> Can you share your initial crafted image binary
> with `gzip -9 | base64` encoding here?
$ gzip -9 < /tmp/erofs-test/test.erofs | base64
H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+gdilS
Jo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9iPNtbjhan
04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz2DF/21+20T/l
dgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1wywAAAAAAAADwu14A
TsEYtgBQAAA=
In QEMU:
$ mount -t erofs -o cache_strategy=disabled test.erofs /mnt
$ dd if=/mnt/data of=/dev/null bs=4096 count=1
> I think the proper place to fix this is in
> z_erofs_map_sanity_check().
I will resend with the check in
z_erofs_map_sanity_check() instead if the reproducer is acceptable.
Thanks,
Junrui Luo
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-09 11:49 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-09 6:57 [PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Junrui Luo
2026-04-09 7:28 ` Gao Xiang
2026-04-09 10:38 ` Junrui Luo
2026-04-09 10:56 ` Gao Xiang
2026-04-09 11:49 ` Junrui Luo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox