lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <9DB6A341-5689-4E4A-B485-A798810751F8@dubeyko.com>
Date: Tue, 6 Feb 2024 15:05:23 +0300
From: Viacheslav Dubeyko <slava@...eyko.com>
To: Edward Adam Davis <eadavis@...com>
Cc: syzbot+57028366b9825d8e8ad0@...kaller.appspotmail.com,
 linux-fsdevel@...r.kernel.org,
 linux-kernel@...r.kernel.org,
 syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH next] hfsplus: fix oob in hfsplus_bnode_read_key



> On 4 Feb 2024, at 14:51, Edward Adam Davis <eadavis@...com> wrote:
> 
> In hfs_brec_insert(), if data has not been moved to "data_off + size", the size
> should not be added when reading search_key from node->page.
> 
> Reported-and-tested-by: syzbot+57028366b9825d8e8ad0@...kaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@...com>
> ---
> fs/hfsplus/brec.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c
> index 1918544a7871..9e0e0c1f15a5 100644
> --- a/fs/hfsplus/brec.c
> +++ b/fs/hfsplus/brec.c
> @@ -138,7 +138,8 @@ int hfs_brec_insert(struct hfs_find_data *fd, void *entry, int entry_len)
> * at the start of the node and it is not the new node
> */
> if (!rec && new_node != node) {
> - hfs_bnode_read_key(node, fd->search_key, data_off + size);

As far as I can see, likewise pattern 'data_off + size’ is used multiple times in hfs_brec_insert().
It’s real source of potential bugs, for my taste. Could we introduce a special variable (like offset)
that can keep calculated value?

> + hfs_bnode_read_key(node, fd->search_key, data_off + 
> + (idx_rec_off == data_rec_off ? 0 : size));

I believe the code of hfs_brec_insert() is complicated enough.
It will be great to rework this code and to add comments with
reasonable explanation of the essence of modification. It’s not so easy
to follow how moving is related to read the key operation.

What do you think?

Thanks,
Slava.

> hfs_brec_update_parent(fd);
> }
> 
> -- 
> 2.43.0
> 
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ