| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <dc0add8a-85fc-41dd-a4a6-6f7cb10e8350@I-love.SAKURA.ne.jp>
Date: Wed, 9 Jul 2025 23:02:10 +0900
From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To: Viacheslav Dubeyko <Slava.Dubeyko@....com>,
"frank.li@...o.com" <frank.li@...o.com>,
"glaubitz@...sik.fu-berlin.de" <glaubitz@...sik.fu-berlin.de>,
"slava@...eyko.com" <slava@...eyko.com>,
"brauner@...nel.org" <brauner@...nel.org>,
"akpm@...ux-foundation.org" <akpm@...ux-foundation.org>
Cc: "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] hfsplus: don't use BUG_ON() in
hfsplus_create_attributes_file()
On 2025/07/08 4:03, Viacheslav Dubeyko wrote:
>>> @@ -172,7 +172,11 @@ static int hfsplus_create_attributes_file(struct
> super_block *sb)
>>> return PTR_ERR(attr_file);
>>> }
>>>
>>> - BUG_ON(i_size_read(attr_file) != 0);
>
> But I still worry about i_size_read(attr_file). How this size could be not zero
> during hfsplus_create_attributes_file() call?
Because the filesystem image is intentionally crafted.
syzkaller mounts this image which already contains inode for xattr file
but vhdr->attr_file.total_blocks at
https://elixir.bootlin.com/linux/v6.16-rc5/source/fs/hfsplus/super.c#L485
is 0. This inconsistency is not detected during mount operation, and
sbi->attr_tree_state remains HFSPLUS_EMPTY_ATTR_TREE, and
this inconsistency is detected when setxattr operation is called.
The correct fix might be to implement stricter consistency check during
mount operation, but even userspace fsck.hfsplus is not doing such check.
Powered by blists - more mailing lists