lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ef0bd6a340e0e4332e809c322186e73d9e3fdec3.camel@ibm.com>
Date: Tue, 4 Nov 2025 23:01:31 +0000
From: Viacheslav Dubeyko <Slava.Dubeyko@....com>
To: "glaubitz@...sik.fu-berlin.de" <glaubitz@...sik.fu-berlin.de>,
        "contact@...rnon.com" <contact@...rnon.com>,
        "slava@...eyko.com"
	<slava@...eyko.com>,
        "frank.li@...o.com" <frank.li@...o.com>,
        "skhan@...uxfoundation.org" <skhan@...uxfoundation.org>,
        "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>
CC: "linux-kernel-mentees@...ts.linux.dev"
	<linux-kernel-mentees@...ts.linux.dev>,
        "penguin-kernel@...ove.sakura.ne.jp"
	<penguin-kernel@...ove.sakura.ne.jp>,
        "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>,
        "syzbot+97e301b4b82ae803d21b@...kaller.appspotmail.com"
	<syzbot+97e301b4b82ae803d21b@...kaller.appspotmail.com>
Subject: Re:  [PATCH v2 2/2] hfs: Update sanity check of the root record

On Tue, 2025-11-04 at 01:47 +0000, George Anthony Vernon wrote:
> syzbot is reporting that BUG() in hfs_write_inode() fires upon unmount
> operation when the inode number of the record retrieved as a result of
> hfs_cat_find_brec(HFS_ROOT_CNID) is not HFS_ROOT_CNID, for commit
> b905bafdea21 ("hfs: Sanity check the root record") checked the record
> size and the record type but did not check the inode number.
> 
> Reported-by: syzbot+97e301b4b82ae803d21b@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b  
> Signed-off-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
> Signed-off-by: George Anthony Vernon <contact@...rnon.com>
> ---
>  fs/hfs/super.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/hfs/super.c b/fs/hfs/super.c
> index 47f50fa555a4..a7dd20f2d743 100644
> --- a/fs/hfs/super.c
> +++ b/fs/hfs/super.c
> @@ -358,7 +358,7 @@ static int hfs_fill_super(struct super_block *sb, struct fs_context *fc)
>  			goto bail_hfs_find;
>  		}
>  		hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength);
> -		if (rec.type != HFS_CDR_DIR)
> +		if (rec.type != HFS_CDR_DIR || rec.dir.DirID != cpu_to_be32(HFS_ROOT_CNID))

This check is completely unnecessary. Because, we have hfs_iget() then [1]:

	res = hfs_find_init(HFS_SB(sb)->cat_tree, &fd);
	if (res)
		goto bail_no_root;
	res = hfs_cat_find_brec(sb, HFS_ROOT_CNID, &fd);
	if (!res) {
		if (fd.entrylength != sizeof(rec.dir)) {
			res =  -EIO;
			goto bail_hfs_find;
		}
		hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength);
		if (rec.type != HFS_CDR_DIR)
			res = -EIO;
	}
	if (res)
		goto bail_hfs_find;
	res = -EINVAL;
	root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
	hfs_find_exit(&fd);
	if (!root_inode)
		goto bail_no_root;

The hfs_iget() calls iget5_locked() [2]:

struct inode *hfs_iget(struct super_block *sb, struct hfs_cat_key *key,
hfs_cat_rec *rec)
{
	struct hfs_iget_data data = { key, rec };
	struct inode *inode;
	u32 cnid;

	switch (rec->type) {
	case HFS_CDR_DIR:
		cnid = be32_to_cpu(rec->dir.DirID);
		break;
	case HFS_CDR_FIL:
		cnid = be32_to_cpu(rec->file.FlNum);
		break;
	default:
		return NULL;
	}
	inode = iget5_locked(sb, cnid, hfs_test_inode, hfs_read_inode, &data);
	if (inode && (inode->i_state & I_NEW))
		unlock_new_inode(inode);
	return inode;
}

And iget5_locked() calls hfs_read_inode(). And hfs_read_inode() will call
is_valid_cnid() after applying your patch. So, is_valid_cnid() in
hfs_read_inode() can completely manage the issue. This is why we don't need in
this modification after your first patch.

But I think we need to check that root_inode is not bad inode afterwards:

	root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
	hfs_find_exit(&fd);
	if (!root_inode || is_bad_inode(root_inode))
		goto bail_no_root;

Thanks,
Slava.

>  			res = -EIO;
>  	}
>  	if (res)

[1] https://elixir.bootlin.com/linux/v6.18-rc4/source/fs/hfs/super.c#L367
[2] https://elixir.bootlin.com/linux/v6.18-rc4/source/fs/hfs/inode.c#L414

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ