Skip to content

Commit f2a12cc

Browse files
hsiangkaohsiangkao
committed
erofs: avoid infinite loop due to incomplete zstd-compressed data
Currently, the decompression logic incorrectly spins if compressed data is truncated in crafted (deliberately corrupted) images. Fixes: 7c35de4 ("erofs: Zstandard compression support") Reported-by: Robert Morris <rtm@csail.mit.edu> Closes: https://lore.kernel.org/r/50958.1761605413@localhost Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Reviewed-by: Chunhai Guo <guochunhai@vivo.com> Reviewed-by: Chao Yu <chao@kernel.org>
1 parent 083d7af commit f2a12cc

1 file changed

Lines changed: 7 additions & 4 deletions

File tree

fs/erofs/decompressor_zstd.c

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -172,7 +172,6 @@ static int z_erofs_zstd_decompress(struct z_erofs_decompress_req *rq,
172172
dctx.bounce = strm->bounce;
173173

174174
do {
175-
dctx.avail_out = out_buf.size - out_buf.pos;
176175
dctx.inbuf_sz = in_buf.size;
177176
dctx.inbuf_pos = in_buf.pos;
178177
err = z_erofs_stream_switch_bufs(&dctx, &out_buf.dst,
@@ -188,14 +187,18 @@ static int z_erofs_zstd_decompress(struct z_erofs_decompress_req *rq,
188187
in_buf.pos = dctx.inbuf_pos;
189188

190189
zerr = zstd_decompress_stream(stream, &out_buf, &in_buf);
191-
if (zstd_is_error(zerr) || (!zerr && rq->outputsize)) {
190+
dctx.avail_out = out_buf.size - out_buf.pos;
191+
if (zstd_is_error(zerr) ||
192+
((rq->outputsize + dctx.avail_out) && (!zerr || (zerr > 0 &&
193+
!(rq->inputsize + in_buf.size - in_buf.pos))))) {
192194
erofs_err(sb, "failed to decompress in[%u] out[%u]: %s",
193195
rq->inputsize, rq->outputsize,
194-
zerr ? zstd_get_error_name(zerr) : "unexpected end of stream");
196+
zstd_is_error(zerr) ? zstd_get_error_name(zerr) :
197+
"unexpected end of stream");
195198
err = -EFSCORRUPTED;
196199
break;
197200
}
198-
} while (rq->outputsize || out_buf.pos < out_buf.size);
201+
} while (rq->outputsize + dctx.avail_out);
199202

200203
if (dctx.kout)
201204
kunmap_local(dctx.kout);

0 commit comments

Comments
 (0)