Re: [PATCH] erofs: Prohibit access to excessive algorithmformat

From: Gao Xiang
Date: Sat Aug 23 2025 - 05:41:09 EST

Next message: Janne Grunau: "[PATCH v2 2/5] arm64: dts: apple: t600x: Add missing WiFi properties"
Previous message: Gao Xiang: "Re: [syzbot] [erofs?] KASAN: global-out-of-bounds Read in z_erofs_decompress_queue"
In reply to: Edward Adam Davis: "[PATCH] erofs: Prohibit access to excessive algorithmformat"
Next in thread: Gao Xiang: "Re: [syzbot] [erofs?] KASAN: global-out-of-bounds Read in z_erofs_decompress_queue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On 2025/8/23 09:53, Edward Adam Davis wrote:

syz reported a global-out-of-bounds Read in z_erofs_decompress_queue.

OOB occurs in z_erofs_decompress_queue() because algorithmformat is too
large.

Added relevant checks when registering pcluster.

Reported-by: syzbot+5a398eb460ddaa6f242f@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=5a398eb460ddaa6f242f
Tested-by: syzbot+5a398eb460ddaa6f242f@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>

Your analysis is correct, but the fix should be applied to zmap.c
instead since it parses the on-disk map format. Also, it's actually
a regression out of new encoded extents since the old compress
indexes already has the check.

I've submitted a formal fix:
https://lore.kernel.org/r/20250823093018.3117864-1-hsiangkao@xxxxxxxxxxxxxxxxx

Thanks,
Gao Xiang

Next message: Janne Grunau: "[PATCH v2 2/5] arm64: dts: apple: t600x: Add missing WiFi properties"
Previous message: Gao Xiang: "Re: [syzbot] [erofs?] KASAN: global-out-of-bounds Read in z_erofs_decompress_queue"
In reply to: Edward Adam Davis: "[PATCH] erofs: Prohibit access to excessive algorithmformat"
Next in thread: Gao Xiang: "Re: [syzbot] [erofs?] KASAN: global-out-of-bounds Read in z_erofs_decompress_queue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]