Unverified Commit 3f69c57d authored Feb 26, 2020 by Gao Xiang Committed by Michael Bestas Apr 16, 2024

erofs: handle corrupted images whose decompressed size less than it'd be

As Lasse pointed out, "Looking at fs/erofs/decompress.c,
the return value from LZ4_decompress_safe_partial is only
checked for negative value to catch errors. ... So if
I understood it correctly, if there is bad data whose
uncompressed size is much less than it should be, it can
leave part of the output buffer untouched and expose the
previous data as the file content. "

Let's fix it now.

Cc: Lasse Collin <lasse.collin@tukaani.org>
Fixes: 7fc45dbc ("staging: erofs: introduce generic decompression backend")
[ Gao Xiang: v5.3+, I will manually backport this to stable later. ]
Link: https://lore.kernel.org/r/20200226081008.86348-3-gaoxiang25@huawei.com


Reviewed-by: Chao Yu <yuchao0@huawei.com>
Change-Id: I0dfe0e09837cd9d39da2980818928281fea5bad9
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>

parent 62a86985

fs/erofs/decompressor.c

+7 −3

Original line number	Diff line number	Diff line
		@@ -170,14 +170,18 @@ static int z_erofs_lz4_decompress(struct z_erofs_decompress_req rq, u8 out)
		ret = LZ4_decompress_safe(src + inputmargin, out,
		inlen, rq->outputsize);

		if (ret < 0) {
		erofs_err(rq->sb, "failed to decompress, in[%u, %u] out[%u]",
		inlen, inputmargin, rq->outputsize);
		if (ret != rq->outputsize) {
		erofs_err(rq->sb, "failed to decompress %d in[%u, %u] out[%u]",
		ret, inlen, inputmargin, rq->outputsize);

		WARN_ON(1);
		print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
		16, 1, src + inputmargin, inlen, true);
		print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
		16, 1, out, rq->outputsize, true);

		if (ret >= 0)
		memset(out + ret, 0, rq->outputsize - ret);
		ret = -EIO;
		}