Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp4358706ybv; Tue, 25 Feb 2020 18:33:49 -0800 (PST) X-Google-Smtp-Source: APXvYqxnRhDbwDdybMRxoizYMO/BV99F7z1UmgoLH9f4IJo2x7u89jaIBH44nly+llyel24Sblt3 X-Received: by 2002:a9d:554a:: with SMTP id h10mr1200578oti.344.1582684429389; Tue, 25 Feb 2020 18:33:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582684429; cv=none; d=google.com; s=arc-20160816; b=Vp9fiBABwjaQy4UUmytXmRwBT3KXvVuU0gGCW4r+iSveAv5FM8arK1mDcXQA2Nlyvq XKE1cBrprwwC+EarZtmTXUyZISV84CqrIJ29ZAs8EbuiAOA/IP3vkPkJigvu5SiZJUKL bxRR1BkMsNSUekItjTOMwrswU7hPfoiReFC+dTES5CQQEyTKaCwfIQ3lQzKWOeAJZOM8 wXH26kt/+opjEt1KcOxPyjMG9Kcs36tip+nq8tMMl75BY3rkLOwbisA6RX5YrNRF7RG1 9XVw24mBkuaH9JUR1Bp2REED/xcTM8Ed2EYT0jBc5OnlPifk51pCc1loxQRfqVeJL317 xL6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=OnNp+RN/Iyehk1dQ1TM7C0/RBLHbG1Ipm8URTTnMf9I=; b=s+yYm19IcsyBF+6aHv8fu3vYZD7TYNSd7mUc7PHY1v6MIXc0Pz/xTRmrfAWdRlz7Pa 6cZ8Gus+iV8r1m6WVKtTG31DxTEzCQHbxwY0l85dV/mzOFofxTj3ZuR1u4YSaf+51eym zqlHWWGQWDRRf3rnrgKfArj7HOcYP/fpbzrRH6CW/GaYoA0F1HBO4eFAMeaNO5g3Ik1d QhTm5n8wiaRazMs9poDi52OEqs/0GR9vPhi56frRxfYj30yPkwNgX5S7IF+nnWsdgyOJ SgGWNcSVFtfCMTqb2iUyXph06eo7guZtO2VD9/Hff4KBtAXX0KlF46PmevniIOyPNHv/ HtTA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z15si457125oti.126.2020.02.25.18.33.37; Tue, 25 Feb 2020 18:33:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730207AbgBZCbx (ORCPT + 99 others); Tue, 25 Feb 2020 21:31:53 -0500 Received: from szxga04-in.huawei.com ([45.249.212.190]:11107 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729795AbgBZCbw (ORCPT ); Tue, 25 Feb 2020 21:31:52 -0500 Received: from DGGEMS404-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 48639CE6B3828CDC0B36; Wed, 26 Feb 2020 10:31:50 +0800 (CST) Received: from architecture4.huawei.com (10.160.196.180) by smtp.huawei.com (10.3.19.204) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 26 Feb 2020 10:31:40 +0800 From: Gao Xiang To: Chao Yu , CC: LKML , Miao Xie , "Gao Xiang" , Lasse Collin Subject: [PATCH 3/3] erofs: handle corrupted images whose decompressed size less than it'd be Date: Wed, 26 Feb 2020 10:30:11 +0800 Message-ID: <20200226023011.103798-3-gaoxiang25@huawei.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200226023011.103798-1-gaoxiang25@huawei.com> References: <20200226023011.103798-1-gaoxiang25@huawei.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.160.196.180] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org As Lasse pointed out, "Looking at fs/erofs/decompress.c, the return value from LZ4_decompress_safe_partial is only checked for negative value to catch errors. ... So if I understood it correctly, if there is bad data whose uncompressed size is much less than it should be, it can leave part of the output buffer untouched and expose the previous data as the file content. " Let's fix it now. Cc: Lasse Collin Signed-off-by: Gao Xiang --- fs/erofs/decompressor.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index c77cec4327fa..be8d9adef236 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -165,14 +165,18 @@ static int z_erofs_lz4_decompress(struct z_erofs_decompress_req *rq, u8 *out) ret = LZ4_decompress_safe(src + inputmargin, out, inlen, rq->outputsize); - if (ret < 0) { - erofs_err(rq->sb, "failed to decompress, in[%u, %u] out[%u]", - inlen, inputmargin, rq->outputsize); + if (ret != rq->outputsize) { + erofs_err(rq->sb, "failed to decompress %d in[%u, %u] out[%u]", + ret, inlen, inputmargin, rq->outputsize); + WARN_ON(1); print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET, 16, 1, src + inputmargin, inlen, true); print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET, 16, 1, out, rq->outputsize, true); + + if (ret >= 0) + memset(out + ret, 0, rq->outputsize - ret); ret = -EIO; } -- 2.17.1