Commit cc241ce4 authored Feb 28, 2024 by Gao Xiang Committed by Baokun Li Feb 28, 2024

erofs: fix inconsistent per-file compression format

stable inclusion
from stable-v6.6.14
commit 823ba1d2106019ddf195287ba53057aee33cf724
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I932VX
CVE: CVE-2024-26590

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=823ba1d2106019ddf195287ba53057aee33cf724



--------------------------------

[ Upstream commit 118a8cf504d7dfa519562d000f423ee3ca75d2c4 ]

EROFS can select compression algorithms on a per-file basis, and each
per-file compression algorithm needs to be marked in the on-disk
superblock for initialization.

However, syzkaller can generate inconsistent crafted images that use
an unsupported algorithmtype for specific inodes, e.g. use MicroLZMA
algorithmtype even it's not set in `sbi->available_compr_algs`.  This
can lead to an unexpected "BUG: kernel NULL pointer dereference" if
the corresponding decompressor isn't built-in.

Fix this by checking against `sbi->available_compr_algs` for each
m_algorithmformat request.  Incorrect !erofs_sb_has_compr_cfgs preset
bitmap is now fixed together since it was harmless previously.

Reported-by:  <bugreport@ubisectech.com>
Fixes: 8f899262 ("erofs: get compression algorithms directly on mapping")
Fixes: 622ceadd ("erofs: lzma compression support")
Reviewed-by: Yue Hu <huyue2@coolpad.com>
Link: https://lore.kernel.org/r/20240113150602.1471050-1-hsiangkao@linux.alibaba.com


Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Baokun Li <libaokun1@huawei.com>

parent fd546922

fs/erofs/decompressor.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -399,7 +399,7 @@ int z_erofs_parse_cfgs(struct super_block sb, struct erofs_super_block dsb)
		int size, ret = 0;

		if (!erofs_sb_has_compr_cfgs(sbi)) {
		sbi->available_compr_algs = Z_EROFS_COMPRESSION_LZ4;
		sbi->available_compr_algs = 1 << Z_EROFS_COMPRESSION_LZ4;
		return z_erofs_load_lz4_config(sb, dsb, NULL, 0);
		}

fs/erofs/zmap.c

+13 −10

Original line number	Diff line number	Diff line
		@@ -458,7 +458,7 @@ static int z_erofs_do_map_blocks(struct inode *inode,
		.map = map,
		};
		int err = 0;
		unsigned int lclusterbits, endoff;
		unsigned int lclusterbits, endoff, afmt;
		unsigned long initial_lcn;
		unsigned long long ofs, end;

		@@ -547,17 +547,20 @@ static int z_erofs_do_map_blocks(struct inode *inode,
		err = -EFSCORRUPTED;
		goto unmap_out;
		}
		if (vi->z_advise & Z_EROFS_ADVISE_INTERLACED_PCLUSTER)
		map->m_algorithmformat =
		Z_EROFS_COMPRESSION_INTERLACED;
		else
		map->m_algorithmformat =
		afmt = vi->z_advise & Z_EROFS_ADVISE_INTERLACED_PCLUSTER ?
		Z_EROFS_COMPRESSION_INTERLACED :
		Z_EROFS_COMPRESSION_SHIFTED;
		} else if (m.headtype == Z_EROFS_LCLUSTER_TYPE_HEAD2) {
		map->m_algorithmformat = vi->z_algorithmtype[1];
		} else {
		map->m_algorithmformat = vi->z_algorithmtype[0];
		afmt = m.headtype == Z_EROFS_LCLUSTER_TYPE_HEAD2 ?
		vi->z_algorithmtype[1] : vi->z_algorithmtype[0];
		if (!(EROFS_I_SB(inode)->available_compr_algs & (1 << afmt))) {
		erofs_err(inode->i_sb, "inconsistent algorithmtype %u for nid %llu",
		afmt, vi->nid);
		err = -EFSCORRUPTED;
		goto unmap_out;
		}
		}
		map->m_algorithmformat = afmt;

		if ((flags & EROFS_GET_BLOCKS_FIEMAP) \|\|
		((flags & EROFS_GET_BLOCKS_READMORE) &&