| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5498a57ea660b5366ef213acd554aba55a5804d1.camel@ibm.com>
Date: Wed, 30 Jul 2025 19:24:54 +0000
From: Viacheslav Dubeyko <Slava.Dubeyko@....com>
To: "leocstone@...il.com" <leocstone@...il.com>,
"jack@...e.cz"
<jack@...e.cz>,
"penguin-kernel@...ove.SAKURA.ne.jp"
<penguin-kernel@...ove.SAKURA.ne.jp>,
"willy@...radead.org"
<willy@...radead.org>,
"brauner@...nel.org" <brauner@...nel.org>
CC: "glaubitz@...sik.fu-berlin.de" <glaubitz@...sik.fu-berlin.de>,
"frank.li@...o.com" <frank.li@...o.com>,
"slava@...eyko.com"
<slava@...eyko.com>,
"linux-fsdevel@...r.kernel.org"
<linux-fsdevel@...r.kernel.org>,
"linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>,
"akpm@...ux-foundation.org"
<akpm@...ux-foundation.org>
Subject: Re: [PATCH v4] hfs: update sanity check of the root record
On Wed, 2025-07-30 at 08:21 +0900, Tetsuo Handa wrote:
> syzbot is reporting that BUG() in hfs_write_inode() fires upon unmount
> operation when the inode number of the record retrieved as a result of
> hfs_cat_find_brec(HFS_ROOT_CNID) is not HFS_ROOT_CNID, for
> commit b905bafdea21 ("hfs: Sanity check the root record") checked
> the record size and the record type but did not check the inode number.
>
> Reported-by: syzbot+97e301b4b82ae803d21b@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b
> Signed-off-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
> ---
> fs/hfs/super.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/hfs/super.c b/fs/hfs/super.c
> index fe09c2093a93..d231989b4e23 100644
> --- a/fs/hfs/super.c
> +++ b/fs/hfs/super.c
> @@ -354,7 +354,7 @@ static int hfs_fill_super(struct super_block *sb, struct fs_context *fc)
> goto bail_hfs_find;
> }
> hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength);
> - if (rec.type != HFS_CDR_DIR)
> + if (rec.type != HFS_CDR_DIR || rec.dir.DirID != cpu_to_be32(HFS_ROOT_CNID))
> res = -EIO;
> }
> if (res)
Why do not localize the all checks in hfs_read_inode()?
We will do such logic then [1], even if rec.dir.DirID !=
cpu_to_be32(HFS_ROOT_CNID):
root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
hfs_find_exit(&fd);
if (!root_inode)
goto bail_no_root;
The hfs_iget() calls iget5_locked() [2]:
inode = iget5_locked(sb, cnid, hfs_test_inode, hfs_read_inode, &data);
And hfs_read_inode() will be called, finally. If inode ID is wrong, then
make_bad_inode(inode) can be called [3].
If we considering case HFS_CDR_DIR in hfs_read_inode(), then we know that it
could be HFS_POR_CNID, HFS_ROOT_CNID, or >= HFS_FIRSTUSER_CNID. Do you mean that
HFS_POR_CNID could be a problem in hfs_write_inode()?
Thanks,
Slava.
[1] https://elixir.bootlin.com/linux/v6.16-rc6/source/fs/hfs/super.c#L363
[2] https://elixir.bootlin.com/linux/v6.16-rc6/source/fs/hfs/inode.c#L403
[3]
https://elixir.bootlin.com/linux/v6.16-rc6/source/fs/hfs/inode.c#L373
Powered by blists - more mailing lists