Commit 7869738b authored Jun 19, 2025 by Gao Xiang

erofs: refuse crafted out-of-file-range encoded extents

Crafted encoded extents could record out-of-range `lstart`, which should
not happen in normal cases.

It caused an iomap_iter_done() complaint [1] reported by syzbot.

[1] https://lore.kernel.org/r/684cb499.a00a0220.c6bd7.0010.GAE@google.com



Fixes: 1d191b4c ("erofs: implement encoded extent metadata")
Reported-and-tested-by:  <syzbot+d8f000c609f05f52d9b5@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=d8f000c609f05f52d9b5


Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Link: https://lore.kernel.org/r/20250619032839.2642193-1-hsiangkao@linux.alibaba.com

parent 30b58444

fs/erofs/zmap.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -597,6 +597,10 @@ static int z_erofs_map_blocks_ext(struct inode *inode,

		if (la > map->m_la) {
		r = mid;
		if (la > lend) {
		DBG_BUGON(1);
		return -EFSCORRUPTED;
		}
		lend = la;
		} else {
		l = mid + 1;