Re: [PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()

Next message: Jianqiang kang: "[PATCH 5.15.y] Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold"
Previous message: Lorenzo Stoakes: "Re: [PATCH v2] mm/khugepaged: use ALIGN helpers for PMD alignment"
In reply to: Junrui Luo: "[PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()"
Next in thread: Junrui Luo: "Re: [PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Gao Xiang

Date: Thu Apr 09 2026 - 03:28:48 EST

On 2026/4/9 14:57, Junrui Luo wrote:

In z_erofs_lz4_handle_overlap(), the index expression
"rq->outpages - rq->inpages + i" is computed in unsigned arithmetic.
If outpages < inpages, the subtraction wraps to a large value and
the subsequent rq->out[] access reads past the decompressed_pages
array.

z_erofs_map_sanity_check() does not enforce m_plen <= m_llen, so a
crafted image declaring m_plen > m_llen can produce outpages < inpages.

For this kind of stuff, do you have a reproducer?

`m_plen > m_llen` can happen on partial decoding only.

The in-place branch is currently unreachable: it requires both
partial_decoding == false and omargin > 0, but these are mutually
exclusive. partial_decoding == false requires pcl->length == m_llen,
which in turn requires (offset + end == m_la + m_llen) where
offset + end is page-aligned from folio boundaries. This forces

I'm not sure what you're saying, but I don't think
you really understand the entire logic.

m_la + m_llen to be page-aligned, making oend page-aligned and
omargin zero.

`m_la + m_llen` should not be page-aligned for typical
erofs images, you can just mkfs.erofs -zlz4hc with some
file and check it yourself.

BTW, I just check upstream, and the inplace branch
works prefectly.

Thanks,
Gao Xiang