erofs: avoid infinite loops due to corrupted subpage compact indexes
Robert reported an infinite loop observed by two crafted images.
The root cause is that `clusterofs` can be larger than `lclustersize`
for !NONHEAD `lclusters` in corrupted subpage compact indexes, e.g.:
blocksize = lclustersize = 512 lcn = 6 clusterofs = 515
Move the corresponding check for full compress indexes to
`z_erofs_load_lcluster_from_disk()` to also cover subpage compact
compress indexes.
It also fixes the position of `m->type >= Z_EROFS_LCLUSTER_TYPE_MAX`
check, since it should be placed right after
`z_erofs_load_{compact,full}_lcluster()`.
Fixes: 8d2517aa ("erofs: fix up compacted indexes for block size < 4096")
Fixes: 1a5223c1 ("erofs: do sanity check on m->type in z_erofs_load_compact_lcluster()")
Reported-by: 
Robert Morris <rtm@csail.mit.edu>
Closes: https://lore.kernel.org/r/35167.1760645886@localhost
Reviewed-by: 
Hongbo Li <lihongbo22@huawei.com>
Signed-off-by: 
Gao Xiang <hsiangkao@linux.alibaba.com>
Loading
Please sign in to comment