git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Gao Xiang <hsiangkao@linux.alibaba.com>
	Tue, 21 Apr 2026 07:59:52 +0000 (15:59 +0800)
committer	Gao Xiang <hsiangkao@linux.alibaba.com>
	Tue, 21 Apr 2026 08:56:04 +0000 (16:56 +0800)
commit	d18a3b5d337fa412a38e776e6b4b857a58836575
tree	4fc98e2a219d9233c45234e66c297b6dc83b19df	tree \| snapshot
parent	a5242d37c83abe86df95c6941e2ace9f9055ffcb	commit \| diff

erofs: fix the out-of-bounds nameoff handling for trailing dirents

Currently we already have boundary-checks for nameoffs, but the trailing
dirents are special since the namelens are calculated with strnlen()
with unchecked nameoffs.

If a crafted EROFS has a trailing dirent with nameoff >= maxsize,
maxsize - nameoff can underflow, causing strnlen() to read past the
directory block.

nameoff0 should also be verified to be a multiple of
`sizeof(struct erofs_dirent)` as well [1].

[1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com

Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations")
Fixes: 33bac912840f ("staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Closes: https://lore.kernel.org/r/A0FD7E0F-7558-49B0-8BC8-EB1ECDB2479A@outlook.com
Cc: stable@vger.kernel.org
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chao Yu <chao@kernel.org>