Received: by 2002:a05:7412:e794:b0:fa:551:50a7 with SMTP id o20csp2913895rdd; Sat, 13 Jan 2024 07:06:29 -0800 (PST) X-Google-Smtp-Source: AGHT+IHFSQXsHsdEsPiKdNVQZvpPOl+xsRfwCUilV2u6ts9ywiI6GPLzBjXH+fA0UHO3mAQrlUZd X-Received: by 2002:a05:6512:2810:b0:50e:5958:5045 with SMTP id cf16-20020a056512281000b0050e59585045mr1560661lfb.22.1705158389429; Sat, 13 Jan 2024 07:06:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705158389; cv=none; d=google.com; s=arc-20160816; b=GWmIMOOatK9+XIr5+Gq0n0xCZgbKH7d0wNNnsCmw68ACqoCSgBLzpmuC7TZXvvVxKo 8AqaySnq/rmb1686DJsWzrnDB0DgZjBsc1amGyTbdlB+A4vhP9IQtVAbcRrHIUrAqrXk L8MPAAPSUwnnBPr+mAgOLyt+WNs04J0dlJvY8mt0fw1eMkeE9YozOVjhSQBO+SGBxPEn Tgck+gb+9U0d6B6O2/bqCBet13/xRwROK3UPpjXRpg9PeW0QisY/TIk/F+nJ5RLwDWuH dvClV/GG+Qoz++RhfdnOISPk0g1zwpfjPA9vHu+xm2TDktY8gs4+XlR4PvjYIFi3iDnI wlLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from; bh=9oLkBY8M6Q+BqF1VszJcr5zTajdXkzZzmsIrnoH+iJ8=; fh=A9PhMLaldOG4M4PAWMkSyPK96TL2+ErURVDQJUXxfFA=; b=U/01W1XYls1tla0+oWiZ3+Emt0/Gf7C7aUi57+4WmeOEBtpNOYQ5VpondyHqa0oFef j8wsFZKszI9//e7TVUi0skEDHHbnVFoo8EqiOJ3zKKPfROHSQLhyRyvQqbPlW8t4DYd+ mlaFJiSXVC/xmb8GGpfe6vu0/pD1KN50jKr57SJjV7fcEViqxYpgK1wmfFvfl0tQ7Y4L H0oytHRYj8gJjgjCM/f87FXztTLiNoXml4bLKgYv0MqAtnoR4rrEszhPcjMLy5cVtun/ 5dYWoprgCjJ1TzGgAHcVvDTIIdl9qqt7LDzDtQbXoyQr0QwllGs25kaKjKt9N23IISCe 3y4Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-25314-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-25314-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id y18-20020a170906471200b00a2695ca850dsi2375148ejq.252.2024.01.13.07.06.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 13 Jan 2024 07:06:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-25314-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-25314-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-25314-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 152191F219BB for ; Sat, 13 Jan 2024 15:06:29 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 181CCEBB; Sat, 13 Jan 2024 15:06:22 +0000 (UTC) Received: from out30-119.freemail.mail.aliyun.com (out30-119.freemail.mail.aliyun.com [115.124.30.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C78CC360 for ; Sat, 13 Jan 2024 15:06:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com X-Alimail-AntiSpam:AC=PASS;BC=-1|-1;BR=01201311R551e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018046049;MF=hsiangkao@linux.alibaba.com;NM=1;PH=DS;RN=5;SR=0;TI=SMTPD_---0W-Vyax8_1705158364; Received: from e69b19392.et15sqa.tbsite.net(mailfrom:hsiangkao@linux.alibaba.com fp:SMTPD_---0W-Vyax8_1705158364) by smtp.aliyun-inc.com; Sat, 13 Jan 2024 23:06:10 +0800 From: Gao Xiang To: linux-erofs@lists.ozlabs.org, Yue Hu Cc: LKML , Gao Xiang , bugreport@ubisectech.com Subject: [PATCH v3] erofs: fix inconsistent per-file compression format Date: Sat, 13 Jan 2024 23:06:02 +0800 Message-Id: <20240113150602.1471050-1-hsiangkao@linux.alibaba.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20231227050633.1507448-1-hsiangkao@linux.alibaba.com> References: <20231227050633.1507448-1-hsiangkao@linux.alibaba.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit EROFS can select compression algorithms on a per-file basis, and each per-file compression algorithm needs to be marked in the on-disk superblock for initialization. However, syzkaller can generate inconsistent crafted images that use an unsupported algorithmtype for specific inodes, e.g. use MicroLZMA algorithmtype even it's not set in `sbi->available_compr_algs`. This can lead to an unexpected "BUG: kernel NULL pointer dereference" if the corresponding decompressor isn't built-in. Fix this by checking against `sbi->available_compr_algs` for each m_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset bitmap is now fixed together since it was harmless previously. Reported-by: Fixes: 8f89926290c4 ("erofs: get compression algorithms directly on mapping") Fixes: 622ceaddb764 ("erofs: lzma compression support") Reviewed-by: Yue Hu Signed-off-by: Gao Xiang --- changes since v2: - Should check in z_erofs_do_map_blocks() runtimely since another algorithmtype[0/1] could leave as unused (0) but it can be problematic if LZ4 is not set in `sbi->available_compr_algs`. fs/erofs/decompressor.c | 2 +- fs/erofs/zmap.c | 23 +++++++++++++---------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 1d65b9f60a39..072ef6a66823 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -408,7 +408,7 @@ int z_erofs_parse_cfgs(struct super_block *sb, struct erofs_super_block *dsb) int size, ret = 0; if (!erofs_sb_has_compr_cfgs(sbi)) { - sbi->available_compr_algs = Z_EROFS_COMPRESSION_LZ4; + sbi->available_compr_algs = 1 << Z_EROFS_COMPRESSION_LZ4; return z_erofs_load_lz4_config(sb, dsb, NULL, 0); } diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c index 9753875e41cb..7e1116804008 100644 --- a/fs/erofs/zmap.c +++ b/fs/erofs/zmap.c @@ -454,7 +454,7 @@ static int z_erofs_do_map_blocks(struct inode *inode, .map = map, }; int err = 0; - unsigned int lclusterbits, endoff; + unsigned int lclusterbits, endoff, afmt; unsigned long initial_lcn; unsigned long long ofs, end; @@ -543,17 +543,20 @@ static int z_erofs_do_map_blocks(struct inode *inode, err = -EFSCORRUPTED; goto unmap_out; } - if (vi->z_advise & Z_EROFS_ADVISE_INTERLACED_PCLUSTER) - map->m_algorithmformat = - Z_EROFS_COMPRESSION_INTERLACED; - else - map->m_algorithmformat = - Z_EROFS_COMPRESSION_SHIFTED; - } else if (m.headtype == Z_EROFS_LCLUSTER_TYPE_HEAD2) { - map->m_algorithmformat = vi->z_algorithmtype[1]; + afmt = vi->z_advise & Z_EROFS_ADVISE_INTERLACED_PCLUSTER ? + Z_EROFS_COMPRESSION_INTERLACED : + Z_EROFS_COMPRESSION_SHIFTED; } else { - map->m_algorithmformat = vi->z_algorithmtype[0]; + afmt = m.headtype == Z_EROFS_LCLUSTER_TYPE_HEAD2 ? + vi->z_algorithmtype[1] : vi->z_algorithmtype[0]; + if (!(EROFS_I_SB(inode)->available_compr_algs & (1 << afmt))) { + erofs_err(inode->i_sb, "inconsistent algorithmtype %u for nid %llu", + afmt, vi->nid); + err = -EFSCORRUPTED; + goto unmap_out; + } } + map->m_algorithmformat = afmt; if ((flags & EROFS_GET_BLOCKS_FIEMAP) || ((flags & EROFS_GET_BLOCKS_READMORE) && -- 2.39.3