erofs: harden h_shared_count in erofs_init_inode_xattrs()

`u8 h_shared_count` indicates the shared xattr count of an inode. It is
read from the on-disk xattr ibody header, which should be corrupted if
the size of the shared xattr array exceeds the space available in
`xattr_isize`.

It does not cause harmful consequence (e.g. crashes), since the image is
already considered corrupted, it indeed results in the silent processing
of garbage metadata.

Let's harden it to report -EFSCORRUPTED earlier.

Signed-off-by: Utkal Singh <singhutkal015@gmail.com>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>

diff --git a/fs/erofs/xattr.c b/fs/erofs/xattr.c
index c411df5d9dfc7ed6a1eb6e56f7cee02642f91355..41e311019a2514c4da971fa7dd826e9191560b6e 100644 (file)
--- a/fs/erofs/xattr.c
+++ b/fs/erofs/xattr.c
@@ -85,6 +85,14 @@ static int erofs_init_inode_xattrs(struct inode *inode)
        }
        vi->xattr_name_filter = le32_to_cpu(ih->h_name_filter);
        vi->xattr_shared_count = ih->h_shared_count;
+       if ((u32)vi->xattr_shared_count * sizeof(__le32) >
+           vi->xattr_isize - sizeof(struct erofs_xattr_ibody_header)) {
+               erofs_err(sb, "invalid h_shared_count %u @ nid %llu",
+                         vi->xattr_shared_count, vi->nid);
+               erofs_put_metabuf(&buf);
+               ret = -EFSCORRUPTED;
+               goto out_unlock;
+       }
        vi->xattr_shared_xattrs = kmalloc_objs(uint, vi->xattr_shared_count);
        if (!vi->xattr_shared_xattrs) {
                erofs_put_metabuf(&buf);