erofs: refuse crafted out-of-file-range encoded extents

Crafted encoded extents could record out-of-range `lstart`, which should
not happen in normal cases.

It caused an iomap_iter_done() complaint [1] reported by syzbot.

[1] https://lore.kernel.org/r/684cb499.a00a0220.c6bd7.0010.GAE@google.com

Fixes: 1d191b4ca51d ("erofs: implement encoded extent metadata")
Reported-and-tested-by: syzbot+d8f000c609f05f52d9b5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d8f000c609f05f52d9b5
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Link: https://lore.kernel.org/r/20250619032839.2642193-1-hsiangkao@linux.alibaba.com

diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c
index 14ea47f954f5526695fc3306b7dc8230ffec7809..6afcb054780d4185f116102caee9871799b91d03 100644 (file)
--- a/fs/erofs/zmap.c
+++ b/fs/erofs/zmap.c
@@ -597,6 +597,10 @@ static int z_erofs_map_blocks_ext(struct inode *inode,
 
                        if (la > map->m_la) {
                                r = mid;
+                               if (la > lend) {
+                                       DBG_BUGON(1);
+                                       return -EFSCORRUPTED;
+                               }
                                lend = la;
                        } else {
                                l = mid + 1;