Re: [PATCH v3] erofs: validate h_shared_count in erofs_init_inode_xattrs()

Next message: Ilpo J&#xE4;rvinen: "Re: [PATCH 20/22] platform/x86/intel/pmc/ssram: Add ACPI discovery scaffolding"
Previous message: Andrew Morton: "Re: [PATCH v7 0/4] mm: thp: reduce unnecessary start_stop_khugepaged() calls"
In reply to: Gao Xiang: "Re: [PATCH v3] erofs: validate h_shared_count in erofs_init_inode_xattrs()"
Next in thread: Gao Xiang: "Re: [PATCH v3] erofs: validate h_shared_count in erofs_init_inode_xattrs()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Gao Xiang

Date: Tue Mar 17 2026 - 12:53:51 EST

On Wed, Mar 18, 2026 at 12:48:52AM +0800, Gao Xiang wrote:
> On Tue, Mar 17, 2026 at 04:41:35PM +0000, Utkal Singh wrote:
> > A crafted image can set h_shared_count to a value much larger than
> > what xattr_isize allows. The loop in erofs_init_inode_xattrs() then
> > reads shared xattr IDs far beyond the inode's xattr region, causing
> > an out-of-bounds metadata read.
> >
> > Add a sanity check ensuring:
> >
> > h_shared_count <= (xattr_isize - sizeof(erofs_xattr_ibody_header)) / 4
> >
> > Return -EFSCORRUPTED when the check fails.
> >
> > Signed-off-by: Utkal Singh <singhutkal015@xxxxxxxxx>
>
> What happens with your v3?
>
> What happens with the commit message and the division?
>
> Could you explain what happened?

BTW, if you insist on this (I don't know if you're just an AI),
I will never accept patching made just from AI bots and keep
failing all the time.

Thanks,
Gao Xiang