From: Yifan Zhao <zhaoyifan@sjtu.edu.cn>
To: linux-erofs@lists.ozlabs.org
Cc: Yifan Zhao <zhaoyifan@sjtu.edu.cn>
Subject: [PATCH] erofs-utils: mkfs: fix out-of-bounds memory access in mt-mkfs
Date: Sun, 17 Mar 2024 14:45:09 +0800 [thread overview]
Message-ID: <20240317064509.994918-1-zhaoyifan@sjtu.edu.cn> (raw)
If a segment is smaller than the block size, sizeof(sctx->membuf) should
be at least as large as the block size, as memory write into the buffer
is done in block size.
Signed-off-by: Yifan Zhao <zhaoyifan@sjtu.edu.cn>
---
lib/compress.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/lib/compress.c b/lib/compress.c
index aeb7013..67a86db 100644
--- a/lib/compress.c
+++ b/lib/compress.c
@@ -1096,11 +1096,12 @@ void z_erofs_mt_workfn(struct erofs_work *work, void *tlsp)
struct erofs_compress_work *cwork = (struct erofs_compress_work *)work;
struct erofs_compress_wq_tls *tls = tlsp;
struct z_erofs_compress_sctx *sctx = &cwork->ctx;
+ struct erofs_sb_info *sbi = sctx->ictx->inode->sbi;
+ erofs_off_t blksz = erofs_blksiz(sbi);
int ret = 0;
- ret = z_erofs_mt_wq_tls_init_compr(sctx->ictx->inode->sbi, tls,
- cwork->alg_id, cwork->alg_name,
- cwork->comp_level,
+ ret = z_erofs_mt_wq_tls_init_compr(sbi, tls, cwork->alg_id,
+ cwork->alg_name, cwork->comp_level,
cwork->dict_size);
if (ret)
goto out;
@@ -1109,7 +1110,7 @@ void z_erofs_mt_workfn(struct erofs_work *work, void *tlsp)
sctx->destbuf = tls->destbuf;
sctx->chandle = &tls->ccfg[cwork->alg_id].handle;
- sctx->membuf = malloc(sctx->remaining);
+ sctx->membuf = malloc(max(blksz, sctx->remaining));
if (!sctx->membuf) {
ret = -ENOMEM;
goto out;
--
2.44.0
next reply other threads:[~2024-03-17 6:46 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-17 6:45 Yifan Zhao [this message]
2024-03-17 7:08 ` [PATCH] erofs-utils: mkfs: fix out-of-bounds memory access in mt-mkfs Gao Xiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240317064509.994918-1-zhaoyifan@sjtu.edu.cn \
--to=zhaoyifan@sjtu.edu.cn \
--cc=linux-erofs@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).