Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp4629494ybv; Wed, 26 Feb 2020 00:13:20 -0800 (PST) X-Google-Smtp-Source: APXvYqwdWfMBjP6gkHr/QVBDuJxmlPYPpW+PjxzsWevH//gxyXsZ1ZT5Q69meUsZgtq330OsLhNG X-Received: by 2002:a9d:6b84:: with SMTP id b4mr2080222otq.190.1582704799477; Wed, 26 Feb 2020 00:13:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582704799; cv=none; d=google.com; s=arc-20160816; b=ymdy+2wVo+I845uTbng9h0ei1CPisBpyQ64lapmdoaLJ3hmC+Kwn1lu1gV6JEN5zoe dV3jQGr5zME1eEJIyptKjiF/PihIDOr6etbh+WPMHrAo0suVHhEmhFanQcHdYuHkBq1E 9Te5oSkI4lmIXmt8V0U4Bn8bnAuH147YAF/U/EK8nE1wqQ2T6BedIsMcW09p+ggA9okr xS1S/rTO7XjRYgBccYYMhpTLk8KXXokqoJPA8Sf+JvPdOfOLwPhmIhIhpdWVPLpYePLl zdgs4Ki/vV+TfZz0K40t1QLVufRwidMrNCckog8NuaOWw+79pW3PGHILGox1nZhg3z9i c2SQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=QDWHv31pg6eO1cCAxf+9di1CaD5gpkSacnXFPBIE7aI=; b=YAq8Fl3vmTNdt8gR1TV+DjCGsU6vckTxI84k3qHfHn5UTlzckkbKRkZ2XySwZkTwl8 jwT7YopU1p6RCt8/GJcTQbhU2QuGrDd68T9GkRF4YTgKswKADvhwYULgLs/qzewI9gzN qIzmZWoj1iBWG2fGv7M64ChpEy+DsvxVki+MjatFaUg5ggTHdg6hg2HhOkK4da0C+Yaj TvHY0E6FDsWtLGditSGKmpd1N7oYhZtqia60oSySkAmbreeKAtCm7wFyZ/7Ai3nMwKNR 5iCzg3dVu0b6VKYF2rOpC3ANx/Rmw9O6ee+8zVI7b60ipFRsnaoex4TERe6AkN3zIwoP aJHg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a4si821301otq.98.2020.02.26.00.13.07; Wed, 26 Feb 2020 00:13:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727560AbgBZIMC (ORCPT + 99 others); Wed, 26 Feb 2020 03:12:02 -0500 Received: from szxga04-in.huawei.com ([45.249.212.190]:11110 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727341AbgBZIMC (ORCPT ); Wed, 26 Feb 2020 03:12:02 -0500 Received: from DGGEMS404-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 7D261C881805C3CF2165; Wed, 26 Feb 2020 16:11:46 +0800 (CST) Received: from architecture4.huawei.com (10.160.196.180) by smtp.huawei.com (10.3.19.204) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 26 Feb 2020 16:11:38 +0800 From: Gao Xiang To: Chao Yu , CC: LKML , Miao Xie , "Gao Xiang" , Lasse Collin Subject: [PATCH v2 3/3] erofs: handle corrupted images whose decompressed size less than it'd be Date: Wed, 26 Feb 2020 16:10:08 +0800 Message-ID: <20200226081008.86348-3-gaoxiang25@huawei.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200226081008.86348-1-gaoxiang25@huawei.com> References: <20200226081008.86348-1-gaoxiang25@huawei.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.160.196.180] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org As Lasse pointed out, "Looking at fs/erofs/decompress.c, the return value from LZ4_decompress_safe_partial is only checked for negative value to catch errors. ... So if I understood it correctly, if there is bad data whose uncompressed size is much less than it should be, it can leave part of the output buffer untouched and expose the previous data as the file content. " Let's fix it now. Cc: Lasse Collin Fixes: 7fc45dbc938a ("staging: erofs: introduce generic decompression backend") [ Gao Xiang: v5.3+, I will manually backport this to stable later. ] Signed-off-by: Gao Xiang --- fs/erofs/decompressor.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index cd978af6bdb9..5d2d81940679 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -166,14 +166,18 @@ static int z_erofs_lz4_decompress(struct z_erofs_decompress_req *rq, u8 *out) ret = LZ4_decompress_safe(src + inputmargin, out, inlen, rq->outputsize); - if (ret < 0) { - erofs_err(rq->sb, "failed to decompress, in[%u, %u] out[%u]", - inlen, inputmargin, rq->outputsize); + if (ret != rq->outputsize) { + erofs_err(rq->sb, "failed to decompress %d in[%u, %u] out[%u]", + ret, inlen, inputmargin, rq->outputsize); + WARN_ON(1); print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET, 16, 1, src + inputmargin, inlen, true); print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET, 16, 1, out, rq->outputsize, true); + + if (ret >= 0) + memset(out + ret, 0, rq->outputsize - ret); ret = -EIO; } -- 2.17.1