| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260128102816.2721458-1-hsiangkao@linux.alibaba.com>
Date: Wed, 28 Jan 2026 18:28:16 +0800
From: Gao Xiang <hsiangkao@...ux.alibaba.com>
To: linux-erofs@...ts.ozlabs.org
Cc: LKML <linux-kernel@...r.kernel.org>,
oliver.yang@...ux.alibaba.com,
Gao Xiang <hsiangkao@...ux.alibaba.com>
Subject: [PATCH] erofs: separate plain and compressed filesystems formally
The EROFS on-disk format uses a tiny, plain metadata design
focused on performance and minimizing inconsistencies caused by
design flaws. It eliminates serious security risks from untrusted
remote sources by design, although human-made implementation bugs
can still happen sometimes.
Currently, there is no strict check to prevent compressed inodes,
especially LZ4-compressed inodes, from being read in plain filesystems.
Starting with erofs-utils 1.0 and Linux 5.3, LZ4_0PADDING sb feature
is automatically enabled for LZ4-compressed EROFS images to support
inplace decompression. Since Linux 5.4 LTS is no longer supported,
we no longer need to handle ancient LZ4-compressed EROFS images.
To formally distinguish different filesystem types for improved
security:
- Use the presence of LZ4_0PADDING or a non-zero
`dsb->u1.lz4_max_distance` as a marker for compressed filesystems
containing LZ4-compressed inodes only;
- For other algorithms, use `dsb->u1.available_compr_algs`.
Note: LZ4_0PADDING has been supported since Linux 5.4 (the first formal
kernel version), so exposing it via sysfs is no longer necessary and is
now deprecated (but remain it for five more years until 2031): since
`dsb->u1.lz4_max_distance` has been non-zero starting with erofs-utils
v1.3 (Linux 5.13+) and it is actually a much better marker for
compressed filesystems.
Signed-off-by: Gao Xiang <hsiangkao@...ux.alibaba.com>
---
Documentation/ABI/testing/sysfs-fs-erofs | 6 +++---
fs/erofs/decompressor.c | 26 +++++++++++-------------
fs/erofs/erofs_fs.h | 2 +-
fs/erofs/inode.c | 14 +++++++++----
fs/erofs/internal.h | 2 +-
fs/erofs/sysfs.c | 2 --
6 files changed, 27 insertions(+), 25 deletions(-)
diff --git a/Documentation/ABI/testing/sysfs-fs-erofs b/Documentation/ABI/testing/sysfs-fs-erofs
index b9243c7f28d7..e4cf6fc6a106 100644
--- a/Documentation/ABI/testing/sysfs-fs-erofs
+++ b/Documentation/ABI/testing/sysfs-fs-erofs
@@ -3,9 +3,9 @@ Date: November 2021
Contact: "Huang Jianan" <huangjianan@...o.com>
Description: Shows all enabled kernel features.
Supported features:
- zero_padding, compr_cfgs, big_pcluster, chunked_file,
- device_table, compr_head2, sb_chksum, ztailpacking,
- dedupe, fragments, 48bit, metabox.
+ compr_cfgs, big_pcluster, chunked_file, device_table,
+ compr_head2, sb_chksum, ztailpacking, dedupe, fragments,
+ 48bit, metabox.
What: /sys/fs/erofs/<disk>/sync_decompress
Date: November 2021
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
index e9d799a03a91..18f16a876d3e 100644
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -34,7 +34,10 @@ static int z_erofs_load_lz4_config(struct super_block *sb,
}
} else {
distance = le16_to_cpu(dsb->u1.lz4_max_distance);
+ if (!distance && !erofs_sb_has_lz4_0padding(sbi))
+ return 0;
sbi->lz4.max_pclusterblks = 1;
+ sbi->available_compr_algs = 1 << Z_EROFS_COMPRESSION_LZ4;
}
sbi->lz4.max_distance_pages = distance ?
@@ -198,7 +201,6 @@ const char *z_erofs_fixup_insize(struct z_erofs_decompress_req *rq,
static const char *__z_erofs_lz4_decompress(struct z_erofs_decompress_req *rq,
u8 *dst)
{
- bool zeropadded = erofs_sb_has_zero_padding(EROFS_SB(rq->sb));
bool may_inplace = false;
unsigned int inputmargin;
u8 *out, *headpage, *src;
@@ -206,18 +208,15 @@ static const char *__z_erofs_lz4_decompress(struct z_erofs_decompress_req *rq,
int ret, maptype;
headpage = kmap_local_page(*rq->in);
- /* LZ4 decompression inplace is only safe if zero_padding is enabled */
- if (zeropadded) {
- reason = z_erofs_fixup_insize(rq, headpage + rq->pageofs_in,
- min_t(unsigned int, rq->inputsize,
- rq->sb->s_blocksize - rq->pageofs_in));
- if (reason) {
- kunmap_local(headpage);
- return reason;
- }
- may_inplace = !((rq->pageofs_in + rq->inputsize) &
- (rq->sb->s_blocksize - 1));
+ reason = z_erofs_fixup_insize(rq, headpage + rq->pageofs_in,
+ min_t(unsigned int, rq->inputsize,
+ rq->sb->s_blocksize - rq->pageofs_in));
+ if (reason) {
+ kunmap_local(headpage);
+ return reason;
}
+ may_inplace = !((rq->pageofs_in + rq->inputsize) &
+ (rq->sb->s_blocksize - 1));
inputmargin = rq->pageofs_in;
src = z_erofs_lz4_handle_overlap(rq, headpage, dst, &inputmargin,
@@ -226,8 +225,7 @@ static const char *__z_erofs_lz4_decompress(struct z_erofs_decompress_req *rq,
return ERR_CAST(src);
out = dst + rq->pageofs_out;
- /* legacy format could compress extra data in a pcluster. */
- if (rq->partial_decoding || !zeropadded)
+ if (rq->partial_decoding)
ret = LZ4_decompress_safe_partial(src + inputmargin, out,
rq->inputsize, rq->outputsize, rq->outputsize);
else
diff --git a/fs/erofs/erofs_fs.h b/fs/erofs/erofs_fs.h
index b30a74d307c5..b80c6bb33a58 100644
--- a/fs/erofs/erofs_fs.h
+++ b/fs/erofs/erofs_fs.h
@@ -23,7 +23,7 @@
* Any bits that aren't in EROFS_ALL_FEATURE_INCOMPAT should
* be incompatible with this kernel version.
*/
-#define EROFS_FEATURE_INCOMPAT_ZERO_PADDING 0x00000001
+#define EROFS_FEATURE_INCOMPAT_LZ4_0PADDING 0x00000001
#define EROFS_FEATURE_INCOMPAT_COMPR_CFGS 0x00000002
#define EROFS_FEATURE_INCOMPAT_BIG_PCLUSTER 0x00000002
#define EROFS_FEATURE_INCOMPAT_CHUNKED_FILE 0x00000004
diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c
index 984dfa0c5231..be40c9b85b5b 100644
--- a/fs/erofs/inode.c
+++ b/fs/erofs/inode.c
@@ -177,11 +177,17 @@ static int erofs_read_inode(struct inode *inode)
goto err_out;
}
- if (erofs_inode_is_data_compressed(vi->datalayout))
- inode->i_blocks = le32_to_cpu(copied.i_u.blocks_lo) <<
- (sb->s_blocksize_bits - 9);
- else
+ if (!erofs_inode_is_data_compressed(vi->datalayout)) {
inode->i_blocks = round_up(inode->i_size, sb->s_blocksize) >> 9;
+ } else if (!sbi->available_compr_algs) {
+ erofs_err(sb, "compressed inode (nid %llu) is invalid in a plain filesystem",
+ vi->nid);
+ err = -EFSCORRUPTED;
+ goto err_out;
+ } else {
+ inode->i_blocks = le32_to_cpu(copied.i_u.blocks_lo) <<
+ (sb->s_blocksize_bits - 9);
+ }
if (vi->datalayout == EROFS_INODE_CHUNK_BASED) {
/* fill chunked inode summary info */
diff --git a/fs/erofs/internal.h b/fs/erofs/internal.h
index 3001bfec4e04..783ad04de5a7 100644
--- a/fs/erofs/internal.h
+++ b/fs/erofs/internal.h
@@ -221,7 +221,7 @@ static inline bool erofs_sb_has_##name(struct erofs_sb_info *sbi) \
return sbi->feature_##compat & EROFS_FEATURE_##feature; \
}
-EROFS_FEATURE_FUNCS(zero_padding, incompat, INCOMPAT_ZERO_PADDING)
+EROFS_FEATURE_FUNCS(lz4_0padding, incompat, INCOMPAT_LZ4_0PADDING)
EROFS_FEATURE_FUNCS(compr_cfgs, incompat, INCOMPAT_COMPR_CFGS)
EROFS_FEATURE_FUNCS(big_pcluster, incompat, INCOMPAT_BIG_PCLUSTER)
EROFS_FEATURE_FUNCS(chunked_file, incompat, INCOMPAT_CHUNKED_FILE)
diff --git a/fs/erofs/sysfs.c b/fs/erofs/sysfs.c
index 86b22b9f0c19..3a9a5fa000ae 100644
--- a/fs/erofs/sysfs.c
+++ b/fs/erofs/sysfs.c
@@ -86,7 +86,6 @@ static struct attribute *erofs_attrs[] = {
ATTRIBUTE_GROUPS(erofs);
/* Features this copy of erofs supports */
-EROFS_ATTR_FEATURE(zero_padding);
EROFS_ATTR_FEATURE(compr_cfgs);
EROFS_ATTR_FEATURE(big_pcluster);
EROFS_ATTR_FEATURE(chunked_file);
@@ -100,7 +99,6 @@ EROFS_ATTR_FEATURE(48bit);
EROFS_ATTR_FEATURE(metabox);
static struct attribute *erofs_feat_attrs[] = {
- ATTR_LIST(zero_padding),
ATTR_LIST(compr_cfgs),
ATTR_LIST(big_pcluster),
ATTR_LIST(chunked_file),
--
2.43.5
Powered by blists - more mailing lists