Hi Gao, Thanks for the detailed explanation. I understand now that erofs_io_read() already handles the out-of-bounds case and returns an appropriate error, so the additional check against primarydevice_blocks is unnecessary.
I also wasn't aware that primarydevice_blocks can legitimately be 0 for dynamically generated EROFS images, so my change would indeed break valid use cases. Thanks again for reviewing and clarifying this. I’ll keep this in mind for future patches. Best regards, Utkal Singh On Thu, 5 Mar 2026 at 05:29, Gao Xiang <[email protected]> wrote: > > > On 2026/3/5 07:45, Gao Xiang wrote: > > > > > > On 2026/3/5 02:21, Utkal Singh wrote: > >> A crafted EROFS image can contain an out-of-range node ID in directory > >> entries or the superblock root_nid that causes erofs_iloc() to compute > >> an inode offset beyond the image size. This leads to out-of-bounds > >> reads in erofs_read_metabuf(), potentially crashing fsck.erofs, > >> erofsfuse, or dump.erofs. > > > > Do you have a reproducible image? > > > > I think in that way, erofs_io_read or something should fail > > instead, we don't need such check against > > sbi->primarydevice_blocks. > > It will return: > <E> erofs: erofs_read_inode_from_disk() Line[42] failed to get inode (nid: > 249216) page, err -5 > <E> erofs: erofsfsck_check_inode() Line[988] I/O error occurred when > reading nid(249216) > > I don't think such check is needed, blocks is mainly for statfs > statistics, for dynamic generated EROFS, it could be 0 all the > time. >
