Commit 8d64b06d authored by Gao Xiang's avatar Gao Xiang Committed by Zizhi Wo
Browse files

erofs: handle NONHEAD !delta[1] lclusters gracefully 

stable inclusion
from stable-v6.6.64
commit f466641debcbea8bdf78d1b63a6270aadf9301bf
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAED
CVE: CVE-2024-53234

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f466641debcbea8bdf78d1b63a6270aadf9301bf



--------------------------------

[ Upstream commit 0bc8061ffc733a0a246b8689b2d32a3e9204f43c ]

syzbot reported a WARNING in iomap_iter_done:
 iomap_fiemap+0x73b/0x9b0 fs/iomap/fiemap.c:80
 ioctl_fiemap fs/ioctl.c:220 [inline]

Generally, NONHEAD lclusters won't have delta[1]==0, except for crafted
images and filesystems created by pre-1.0 mkfs versions.

Previously, it would immediately bail out if delta[1]==0, which led to
inadequate decompressed lengths (thus FIEMAP is impacted).  Treat it as
delta[1]=1 to work around these legacy mkfs versions.

`lclusterbits > 14` is illegal for compact indexes, error out too.

Reported-by: default avatar <syzbot+6c0b301317aa0156f9eb@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/r/67373c0c.050a0220.2a2fcc.0079.GAE@google.com


Tested-by: default avatar <syzbot+6c0b301317aa0156f9eb@syzkaller.appspotmail.com>
Fixes: d95ae5e2 ("erofs: add support for the full decompressed length")
Fixes: 001b8ccd ("erofs: fix compact 4B support for 16k block size")
Signed-off-by: default avatarGao Xiang <hsiangkao@linux.alibaba.com>
Link: https://lore.kernel.org/r/20241115173651.3339514-1-hsiangkao@linux.alibaba.com


Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarZizhi Wo <wozizhi@huawei.com>
parent 31b452f6

fs/erofs/zmap.c

+9 −8
Original line number Diff line number Diff line
@@ -234,7 +234,7 @@ static int z_erofs_load_compact_lcluster(struct z_erofs_maprecorder *m, 
	unsigned int amortizedshift;

	erofs_off_t pos;



	if (lcn >= totalidx)

	if (lcn >= totalidx || vi->z_logical_clusterbits > 14)

		return -EINVAL;



	m->lcn = lcn;
@@ -409,7 +409,7 @@ static int z_erofs_get_extent_decompressedlen(struct z_erofs_maprecorder *m) 
	u64 lcn = m->lcn, headlcn = map->m_la >> lclusterbits;

	int err;



	do {

	while (1) {

		/* handle the last EOF pcluster (no next HEAD lcluster) */

		if ((lcn << lclusterbits) >= inode->i_size) {

			map->m_llen = inode->i_size - map->m_la;
@@ -421,14 +421,16 @@ static int z_erofs_get_extent_decompressedlen(struct z_erofs_maprecorder *m) 
			return err;



		if (m->type == Z_EROFS_LCLUSTER_TYPE_NONHEAD) {

			DBG_BUGON(!m->delta[1] &&

				  m->clusterofs != 1 << lclusterbits);

			/* work around invalid d1 generated by pre-1.0 mkfs */

			if (unlikely(!m->delta[1])) {

				m->delta[1] = 1;

				DBG_BUGON(1);

			}

		} else if (m->type == Z_EROFS_LCLUSTER_TYPE_PLAIN ||

			   m->type == Z_EROFS_LCLUSTER_TYPE_HEAD1 ||

			   m->type == Z_EROFS_LCLUSTER_TYPE_HEAD2) {

			/* go on until the next HEAD lcluster */

			if (lcn != headlcn)

				break;

				break;	/* ends at the next HEAD lcluster */

			m->delta[1] = 1;

		} else {

			erofs_err(inode->i_sb, "unknown type %u @ lcn %llu of nid %llu",
@@ -437,8 +439,7 @@ static int z_erofs_get_extent_decompressedlen(struct z_erofs_maprecorder *m) 
			return -EOPNOTSUPP;

		}

		lcn += m->delta[1];

	} while (m->delta[1]);



	}

	map->m_llen = (lcn << lclusterbits) + m->clusterofs - map->m_la;

	return 0;

}