From: Tristan Madani <tristmd@gmail.com>
To: Viacheslav Dubeyko <slava@dubeyko.com>,
John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>,
Yangtao Li <frank.li@vivo.com>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org,
Tristan Madani <tristan@talencesecurity.com>,
syzbot+6df204b70bf3261691c5@syzkaller.appspotmail.com,
syzbot+e76bf3d19b85350571ac@syzkaller.appspotmail.com
Subject: [PATCH 1/3] hfs/hfsplus: fix u32 overflow in check_and_correct_requested_length
Date: Fri, 1 May 2026 11:02:15 +0000 [thread overview]
Message-ID: <20260501110218.29906-1-tristmd@gmail.com> (raw)
From: Tristan Madani <tristan@talencesecurity.com>
check_and_correct_requested_length() compares (off + len) against
node_size using u32 arithmetic. When the caller passes a large len
value (e.g. from an underflowed subtraction in hfs_brec_remove()),
off + len can wrap past 2^32 and produce a small result, causing the
bounds check to pass when it should fail.
For example, with off=14 and len=0xFFFFFFF2 (underflowed from
data_off - keyoffset - size in hfs_brec_remove), off + len wraps to 6,
which is less than a typical node_size of 512, so the check passes and
the subsequent memmove reads ~4GB past the node buffer.
Fix this by comparing len against (node_size - off) instead. Since
is_bnode_offset_valid() already guarantees off < node_size before this
point, the subtraction cannot underflow.
Reported-by: syzbot+6df204b70bf3261691c5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6df204b70bf3261691c5
Tested-by: syzbot+6df204b70bf3261691c5@syzkaller.appspotmail.com
Reported-by: syzbot+e76bf3d19b85350571ac@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e76bf3d19b85350571ac
Tested-by: syzbot+e76bf3d19b85350571ac@syzkaller.appspotmail.com
Fixes: a431930c9bac ("hfs: fix slab-out-of-bounds in hfs_bnode_read()")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
fs/hfs/bnode.c | 2 +-
fs/hfsplus/hfsplus_fs.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
index 13d58c51fc46b..c00645a4a5733 100644
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -41,7 +41,7 @@ u32 check_and_correct_requested_length(struct hfs_bnode *node, u32 off, u32 len)
node_size = node->tree->node_size;
- if ((off + len) > node_size) {
+ if (len > node_size - off) {
u32 new_len = node_size - off;
pr_err("requested length has been corrected: "
diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
index 3545b8dbf11c5..10b2dda3f8044 100644
--- a/fs/hfsplus/hfsplus_fs.h
+++ b/fs/hfsplus/hfsplus_fs.h
@@ -600,7 +600,7 @@ u32 check_and_correct_requested_length(struct hfs_bnode *node, u32 off, u32 len)
node_size = node->tree->node_size;
- if ((off + len) > node_size) {
+ if (len > node_size - off) {
u32 new_len = node_size - off;
pr_err("requested length has been corrected: "
--
2.47.3
next reply other threads:[~2026-05-01 11:02 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-01 11:02 Tristan Madani [this message]
2026-05-01 11:02 ` [PATCH 2/3] hfs/hfsplus: initialize data buffer in hfs_bnode_read_u16 and hfs_bnode_read_u8 Tristan Madani
2026-05-04 23:29 ` Viacheslav Dubeyko
2026-05-01 11:02 ` [PATCH 3/3] hfsplus: fix null pointer dereference in hfsplus_create_attributes_file Tristan Madani
2026-05-04 23:31 ` Viacheslav Dubeyko
2026-05-04 23:27 ` [PATCH 1/3] hfs/hfsplus: fix u32 overflow in check_and_correct_requested_length Viacheslav Dubeyko
2026-05-05 11:12 ` [PATCH v2 0/2] hfs/hfsplus: fix OOB access and uninit-value in bnode operations Tristan Madani
2026-05-05 11:12 ` [PATCH v2 1/2] hfs/hfsplus: fix u32 overflow in check_and_correct_requested_length Tristan Madani
2026-05-07 22:02 ` Viacheslav Dubeyko
2026-05-05 11:12 ` [PATCH v2 2/2] hfs/hfsplus: zero-initialize buffer in hfs_bnode_read Tristan Madani
2026-05-06 19:23 ` Viacheslav Dubeyko
2026-05-07 16:37 ` Tristan Madani
2026-05-07 21:59 ` Viacheslav Dubeyko
2026-05-07 22:00 ` Viacheslav Dubeyko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260501110218.29906-1-tristmd@gmail.com \
--to=tristmd@gmail.com \
--cc=frank.li@vivo.com \
--cc=glaubitz@physik.fu-berlin.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=slava@dubeyko.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+6df204b70bf3261691c5@syzkaller.appspotmail.com \
--cc=syzbot+e76bf3d19b85350571ac@syzkaller.appspotmail.com \
--cc=tristan@talencesecurity.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.