fix(vfs): guard EROFS block_size shift against out-of-range blkszbits#136
Merged
Conversation
ErofsSuperblock::block_size shifts 1u32 by blkszbits, an unvalidated on-disk byte (d[12], 0..=255). A crafted blkszbits >= 32 overflows the shift and panics (overflow-checks ON = ring-0 halt) on the read/mount path. Use checked_shl and fall back to the default 4 KiB block size for out-of-range exponents; valid exponents (< 32) are unchanged, which also keeps the downstream blkaddr * block_size offset math bounded.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ErofsSuperblock::block_sizeshifts1u32byblkszbits, an unvalidated on-disk byte (d[12], 0..=255). A craftedblkszbits >= 32overflows the shift → panic (overflow-checks ON = ring-0 halt) on the read/mount path. Same shift-by-attacker-byte class as the adfs/minix/fs-verity fixes. Usechecked_shlwith a default 4 KiB fallback for out-of-range exponents; valid exponents (< 32) unchanged, keeping downstreamblkaddr * block_sizeoffset math bounded.Found by a kimi/opencode agentic lane; verified + sibling-swept by hand (only shift site; line 120 is a constant right-shift).