On Sat 30-11-24 21:14:19, Leo Stone wrote: > In the syzbot reproducer, the hfs_cat_rec for the root dir has type > HFS_CDR_FIL after being read with hfs_bnode_read() in hfs_super_fill(). > This indicates it should be used as an hfs_cat_file, which is 102 bytes. > Only the first 70 bytes of that struct are initialized, however, > because the entrylength passed into hfs_bnode_read() is still the length of > a directory record. This causes uninitialized values to be used later on, > when the hfs_cat_rec union is treated as the larger hfs_cat_file struct. > > Add a check to make sure the retrieved record has the correct type > for the root directory (HFS_CDR_DIR), and make sure we load the correct > number of bytes for a directory record. > > Reported-by: syzbot+2db3c7526ba68f4ea776@xxxxxxxxxxxxxxxxxxxxxxxxx > Closes: https://syzkaller.appspot.com/bug?extid=2db3c7526ba68f4ea776 > Tested-by: syzbot+2db3c7526ba68f4ea776@xxxxxxxxxxxxxxxxxxxxxxxxx > Tested-by: Leo Stone <leocstone@xxxxxxxxx> > Signed-off-by: Leo Stone <leocstone@xxxxxxxxx> Looks good. Feel free to add: Reviewed-by: Jan Kara <jack@xxxxxxx> Honza > --- > v2: Made the check on fd.entrylength more strict. Tested with real HFS > images. > v1: https://lore.kernel.org/all/20241123194949.9243-1-leocstone@xxxxxxxxx > --- > fs/hfs/super.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/fs/hfs/super.c b/fs/hfs/super.c > index 3bee9b5dba5e..fe09c2093a93 100644 > --- a/fs/hfs/super.c > +++ b/fs/hfs/super.c > @@ -349,11 +349,13 @@ static int hfs_fill_super(struct super_block *sb, struct fs_context *fc) > goto bail_no_root; > res = hfs_cat_find_brec(sb, HFS_ROOT_CNID, &fd); > if (!res) { > - if (fd.entrylength > sizeof(rec) || fd.entrylength < 0) { > + if (fd.entrylength != sizeof(rec.dir)) { > res = -EIO; > goto bail_hfs_find; > } > hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength); > + if (rec.type != HFS_CDR_DIR) > + res = -EIO; > } > if (res) > goto bail_hfs_find; > -- > 2.43.0 > -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
