Re: [PATCH v3] erofs: validate h_shared_count in erofs_init_inode_xattrs()

Next message: Konrad Dybcio: "Re: [PATCH] drm/msm/dpu: don't try using 2 LMs if only one DSC is available"
Previous message: Luca Ceresoli: "Re: [PATCH] drm/tilcdc: Fix type mismatch"
In reply to: Utkal Singh: "[PATCH v3] erofs: validate h_shared_count in erofs_init_inode_xattrs()"
Next in thread: Gao Xiang: "Re: [PATCH v3] erofs: validate h_shared_count in erofs_init_inode_xattrs()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Gao Xiang

Date: Tue Mar 17 2026 - 12:59:09 EST

On Tue, Mar 17, 2026 at 04:41:35PM +0000, Utkal Singh wrote:
> A crafted image can set h_shared_count to a value much larger than
> what xattr_isize allows. The loop in erofs_init_inode_xattrs() then
> reads shared xattr IDs far beyond the inode's xattr region, causing
> an out-of-bounds metadata read.
>
> Add a sanity check ensuring:
>
> h_shared_count <= (xattr_isize - sizeof(erofs_xattr_ibody_header)) / 4
>
> Return -EFSCORRUPTED when the check fails.
>
> Signed-off-by: Utkal Singh <singhutkal015@xxxxxxxxx>

What happens with your v3?

What happens with the commit message and the division?

Could you explain what happened?

Thanks,
Gao Xiang