Commit d18a3b5d authored by Gao Xiang's avatar Gao Xiang
Browse files

erofs: fix the out-of-bounds nameoff handling for trailing dirents 

Currently we already have boundary-checks for nameoffs, but the trailing
dirents are special since the namelens are calculated with strnlen()
with unchecked nameoffs.

If a crafted EROFS has a trailing dirent with nameoff >= maxsize,
maxsize - nameoff can underflow, causing strnlen() to read past the
directory block.

nameoff0 should also be verified to be a multiple of
`sizeof(struct erofs_dirent)` as well [1].

[1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com



Fixes: 3aa8ec71 ("staging: erofs: add directory operations")
Fixes: 33bac912 ("staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()")
Reported-by: default avatarYuhao Jiang <danisjiang@gmail.com>
Reported-by: default avatarJunrui Luo <moonafterrain@outlook.com>
Closes: https://lore.kernel.org/r/A0FD7E0F-7558-49B0-8BC8-EB1ECDB2479A@outlook.com


Cc: stable@vger.kernel.org
Signed-off-by: default avatarGao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: default avatarChao Yu <chao@kernel.org>
parent a5242d37

fs/erofs/dir.c

+15 −13
Original line number Diff line number Diff line
@@ -19,20 +19,18 @@ static int erofs_fill_dentries(struct inode *dir, struct dir_context *ctx, 
		const char *de_name = (char *)dentry_blk + nameoff;

		unsigned int de_namelen;



		/* the last dirent in the block? */

		if (de + 1 >= end)

			de_namelen = strnlen(de_name, maxsize - nameoff);

		else

		/* non-trailing dirent in the directory block? */

		if (de + 1 < end)

			de_namelen = le16_to_cpu(de[1].nameoff) - nameoff;

		else if (maxsize <= nameoff)

			goto err_bogus;

		else

			de_namelen = strnlen(de_name, maxsize - nameoff);



		/* a corrupted entry is found */

		if (nameoff + de_namelen > maxsize ||

		    de_namelen > EROFS_NAME_LEN) {

			erofs_err(dir->i_sb, "bogus dirent @ nid %llu",

				  EROFS_I(dir)->nid);

			DBG_BUGON(1);

			return -EFSCORRUPTED;

		}

		/* a corrupted entry is found (including negative namelen) */

		if (!in_range32(de_namelen, 1, EROFS_NAME_LEN) ||

		    nameoff + de_namelen > maxsize)

			goto err_bogus;



		if (!dir_emit(ctx, de_name, de_namelen,

			      erofs_nid_to_ino64(EROFS_SB(dir->i_sb),
@@ -42,6 +40,10 @@ static int erofs_fill_dentries(struct inode *dir, struct dir_context *ctx, 
		ctx->pos += sizeof(struct erofs_dirent);

	}

	return 0;

err_bogus:

	erofs_err(dir->i_sb, "bogus dirent @ nid %llu", EROFS_I(dir)->nid);

	DBG_BUGON(1);

	return -EFSCORRUPTED;

}



static int erofs_readdir(struct file *f, struct dir_context *ctx)
@@ -88,7 +90,7 @@ static int erofs_readdir(struct file *f, struct dir_context *ctx) 
		}



		nameoff = le16_to_cpu(de->nameoff);

		if (nameoff < sizeof(struct erofs_dirent) || nameoff >= bsz) {

		if (!nameoff || nameoff >= bsz || (nameoff % sizeof(*de))) {

			erofs_err(sb, "invalid de[0].nameoff %u @ nid %llu",

				  nameoff, EROFS_I(dir)->nid);

			err = -EFSCORRUPTED;