erofs: fix crafted invalid cases for encoded extents

[ Upstream commit a429b76114aaca3ef1aff4cd469dcf025431bd11 ]

Robert recently reported two corrupted images that can cause system
crashes, which are related to the new encoded extents introduced
in Linux 6.15:

  - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but
    (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent
    special extents such as sparse extents (!EROFS_MAP_MAPPED), but
    previously only plen == 0 was handled;

  - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000,
    then "cur [0xfffffffffffff000] += bvec.bv_len [0x1000]" in
    "} while ((cur += bvec.bv_len) < end);" wraps around, causing an
    out-of-bound access of pcl->compressed_bvecs[] in
    z_erofs_submit_queue().  EROFS only supports 48-bit physical block
    addresses (up to 1EiB for 4k blocks), so add a sanity check to
    enforce this.

Fixes: 1d191b4ca51d ("erofs: implement encoded extent metadata")
Reported-by: Robert Morris <rtm@csail.mit.edu>
Closes: https://lore.kernel.org/r/75022.1759355830@localhost  [1]
Closes: https://lore.kernel.org/r/80524.1760131149@localhost  [2]
Reviewed-by: Hongbo Li <lihongbo22@huawei.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c
index 798223e6da9ce1ad6f7046400453b13f5a4f7b0b..87032f90fe8401cf85823f53eb7a1be015a26ae7 100644 (file)
--- a/fs/erofs/zmap.c
+++ b/fs/erofs/zmap.c
@@ -596,7 +596,7 @@ static int z_erofs_map_blocks_ext(struct inode *inode,
                        vi->z_fragmentoff = map->m_plen;
                        if (recsz > offsetof(struct z_erofs_extent, pstart_lo))
                                vi->z_fragmentoff |= map->m_pa << 32;
-               } else if (map->m_plen) {
+               } else if (map->m_plen & Z_EROFS_EXTENT_PLEN_MASK) {
                        map->m_flags |= EROFS_MAP_MAPPED |
                                EROFS_MAP_FULL_MAPPED | EROFS_MAP_ENCODED;
                        fmt = map->m_plen >> Z_EROFS_EXTENT_PLEN_FMT_BIT;
@@ -715,6 +715,7 @@ static int z_erofs_map_sanity_check(struct inode *inode,
                                    struct erofs_map_blocks *map)
 {
        struct erofs_sb_info *sbi = EROFS_I_SB(inode);
+       u64 pend;
 
        if (!(map->m_flags & EROFS_MAP_ENCODED))
                return 0;
@@ -732,6 +733,10 @@ static int z_erofs_map_sanity_check(struct inode *inode,
        if (unlikely(map->m_plen > Z_EROFS_PCLUSTER_MAX_SIZE ||
                     map->m_llen > Z_EROFS_PCLUSTER_MAX_DSIZE))
                return -EOPNOTSUPP;
+       /* Filesystems beyond 48-bit physical block addresses are invalid */
+       if (unlikely(check_add_overflow(map->m_pa, map->m_plen, &pend) ||
+                    (pend >> sbi->blkszbits) >= BIT_ULL(48)))
+               return -EFSCORRUPTED;
        return 0;
 }