lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <d74eef30-fed4-46a8-801e-c86e8ed2632f@I-love.SAKURA.ne.jp>
Date: Tue, 14 Oct 2025 22:30:05 +0900
From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To: linux-kernel@...r.kernel.org,
        Mikulas Patocka <mikulas@...ax.karlin.mff.cuni.cz>,
        Antoni Pokusinski <apokusinski01@...il.com>,
        linux-fsdevel <linux-fsdevel@...r.kernel.org>
Subject: [PATCH] hpfs: make check=none mount option excludable

syzbot is reporting use-after-free read problem when a crafted HPFS image
was mounted with "check=none" option.

The "check=none" option is intended for only users who want maximum speed
and use the filesystem only on trusted input. But fuzzers are for using
the filesystem on untrusted input.

Mikulas Patocka (the HPFS maintainer) thinks that there is no need to add
some middle ground where "check=none" would check some structures and won't
check others. Therefore, to make sure that fuzzers and careful users do not
by error specify "check=none" at runtime, make "check=none" being
excludable at build time.

Reported-by: syzbot+fa88eb476e42878f2844@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844
Link: https://lkml.kernel.org/r/9ca81125-1c7b-ddaf-09ea-638bc5712632@redhat.com
Tested-by: syzbot+fa88eb476e42878f2844@...kaller.appspotmail.com
Signed-off-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
---
 fs/hpfs/Kconfig | 11 +++++++++++
 fs/hpfs/super.c |  2 ++
 2 files changed, 13 insertions(+)

diff --git a/fs/hpfs/Kconfig b/fs/hpfs/Kconfig
index ac1e9318e65a..d3dfbe76be8a 100644
--- a/fs/hpfs/Kconfig
+++ b/fs/hpfs/Kconfig
@@ -15,3 +15,14 @@ config HPFS_FS
 
 	  To compile this file system support as a module, choose M here: the
 	  module will be called hpfs.  If unsure, say N.
+
+config HPFS_FS_ALLOW_NO_ERROR_CHECK_MODE
+	bool "Allow no-error-check mode for maximum speed"
+	depends on HPFS_FS
+	default n
+	help
+	  This option enables check=none mount option. If check=none is
+	  specified, users can expect maximum speed at the cost of minimum
+	  robustness. Sane users should not specify check=none option, for e.g.
+	  use-after-free bug will happen when the filesystem is corrupted or
+	  crafted.
diff --git a/fs/hpfs/super.c b/fs/hpfs/super.c
index 8ab85e7ac91e..656b1ae01812 100644
--- a/fs/hpfs/super.c
+++ b/fs/hpfs/super.c
@@ -285,7 +285,9 @@ static const struct constant_table hpfs_param_case[] = {
 };
 
 static const struct constant_table hpfs_param_check[] = {
+#ifdef CONFIG_HPFS_FS_ALLOW_NO_ERROR_CHECK_MODE
 	{"none",	0},
+#endif
 	{"normal",	1},
 	{"strict",	2},
 	{}
-- 
2.47.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ