Description
In the Linux kernel, the following vulnerability has been resolved: erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Some crafted images can have illegal (!partial_decoding && m_llen < m_plen) extents, and the LZ4 inplace decompression path can be wrongly hit, but it cannot handle (outpages < inpages) properly: "outpages - inpages" wraps to a large value and the subsequent rq->out[] access reads past the decompressed_pages array. However, such crafted cases can correctly result in a corruption report in the normal LZ4 non-inplace path. Let's add an additional check to fix this for backporting. Reproducible image (base64-encoded gzipped blob): H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g dilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i PNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz 2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w ywAAAAAAAADwu14ATsEYtgBQAAA= $ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt $ dd if=/mnt/data of=/dev/null bs=4096 count=1
Product status
598162d050801e556750defff4ddab499e5d76ed (git) before 43a878639b90e9721ffa5eb616a7e6d8454adef3
598162d050801e556750defff4ddab499e5d76ed (git) before f1374fa6e57fd836623668d782ded9244cfd2938
598162d050801e556750defff4ddab499e5d76ed (git) before c9ce18e6bb2c467ec85756dc7989b547b7584fee
598162d050801e556750defff4ddab499e5d76ed (git) before bbbbb3f0d7864238a8da2a94cd6ec013fee06a2e
598162d050801e556750defff4ddab499e5d76ed (git) before 21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab
5.13
Any version before 5.13
6.6.140 (semver)
6.12.88 (semver)
6.18.30 (semver)
7.0.4 (semver)
7.1-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/43a878639b90e9721ffa5eb616a7e6d8454adef3
git.kernel.org/...c/f1374fa6e57fd836623668d782ded9244cfd2938
git.kernel.org/...c/c9ce18e6bb2c467ec85756dc7989b547b7584fee
git.kernel.org/...c/bbbbb3f0d7864238a8da2a94cd6ec013fee06a2e
git.kernel.org/...c/21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab