From: Gao Xiang <hsiangkao@linux.alibaba.com> stable inclusion from stable-v6.17.6 commit 8675447a8794983f2b7e694b378112772c17635e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDDF3Q CVE: CVE-2025-68251 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit e13d315ae077bb7c3c6027cc292401bc0f4ec683 ] Robert reported an infinite loop observed by two crafted images. The root cause is that `clusterofs` can be larger than `lclustersize` for !NONHEAD `lclusters` in corrupted subpage compact indexes, e.g.: blocksize = lclustersize = 512 lcn = 6 clusterofs = 515 Move the corresponding check for full compress indexes to `z_erofs_load_lcluster_from_disk()` to also cover subpage compact compress indexes. It also fixes the position of `m->type >= Z_EROFS_LCLUSTER_TYPE_MAX` check, since it should be placed right after `z_erofs_load_{compact,full}_lcluster()`. Fixes: 8d2517aaeea3 ("erofs: fix up compacted indexes for block size < 4096") Fixes: 1a5223c182fd ("erofs: do sanity check on m->type in z_erofs_load_compact_lcluster()") Reported-by: Robert Morris <rtm@csail.mit.edu> Closes: https://lore.kernel.org/r/35167.1760645886@localhost Reviewed-by: Hongbo Li <lihongbo22@huawei.com> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Conflicts: fs/erofs/zmap.c [1. z_erofs_load_full_lcluster() function conflicts due to commit: d69189428d50 ("erofs: clean up z_erofs_load_full_lcluster()"); 2. z_erofs_load_lcluster_from_disk() function conflicts due to commit: 1a5223c182fd ("erofs: do sanity check on m->type in z_erofs_load_compact_lcluster()"); 3. "z_lclusterbits" -> "z_logical_clusterbits" due to commit: efb2aef569b3 ("erofs: add encoded extent on-disk definition"); Both are not affect this patch.] Signed-off-by: Zizhi Wo <wozizhi@huawei.com> --- fs/erofs/zmap.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c index 76566c2cbf63..0603ccd00b3c 100644 --- a/fs/erofs/zmap.c +++ b/fs/erofs/zmap.c @@ -67,10 +67,6 @@ static int z_erofs_load_full_lcluster(struct z_erofs_maprecorder *m, if (advise & Z_EROFS_LI_PARTIAL_REF) m->partialref = true; m->clusterofs = le16_to_cpu(di->di_clusterofs); - if (m->clusterofs >= 1 << vi->z_logical_clusterbits) { - DBG_BUGON(1); - return -EFSCORRUPTED; - } m->pblk = le32_to_cpu(di->di_u.blkaddr); break; default: @@ -276,14 +272,25 @@ static int z_erofs_load_compact_lcluster(struct z_erofs_maprecorder *m, static int z_erofs_load_lcluster_from_disk(struct z_erofs_maprecorder *m, unsigned int lcn, bool lookahead) { - switch (EROFS_I(m->inode)->datalayout) { - case EROFS_INODE_COMPRESSED_FULL: - return z_erofs_load_full_lcluster(m, lcn); - case EROFS_INODE_COMPRESSED_COMPACT: - return z_erofs_load_compact_lcluster(m, lcn, lookahead); - default: - return -EINVAL; + struct erofs_inode *vi = EROFS_I(m->inode); + int err; + + if (vi->datalayout == EROFS_INODE_COMPRESSED_COMPACT) { + err = z_erofs_load_compact_lcluster(m, lcn, lookahead); + } else { + DBG_BUGON(vi->datalayout != EROFS_INODE_COMPRESSED_FULL); + err = z_erofs_load_full_lcluster(m, lcn); } + if (err) + return err; + + if (m->type != Z_EROFS_LCLUSTER_TYPE_NONHEAD && + m->clusterofs >= (1 << vi->z_logical_clusterbits)) { + DBG_BUGON(1); + return -EFSCORRUPTED; + } + + return 0; } static int z_erofs_extent_lookback(struct z_erofs_maprecorder *m, -- 2.39.2