From: Charalampos Mitrodimas <charmitro@posteo.net>
To: Deepanshu Kartikey <kartikey406@gmail.com>
Cc: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>,
"glaubitz@physik.fu-berlin.de" <glaubitz@physik.fu-berlin.de>,
"frank.li@vivo.com" <frank.li@vivo.com>,
"slava@dubeyko.com" <slava@dubeyko.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com"
<syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com>
Subject: Re: [PATCH v5] hfsplus: fix uninit-value by validating catalog record size
Date: Tue, 24 Feb 2026 09:56:25 +0000 [thread overview]
Message-ID: <87pl5ua2iv.fsf@posteo.net> (raw)
In-Reply-To: <CADhLXY4Of=3ekg86ggi68_VEtYh6qDr-OtfP-D3=4mc9xm0i+Q@mail.gmail.com>
Deepanshu Kartikey <kartikey406@gmail.com> writes:
> On Tue, Feb 24, 2026 at 12:28 AM Viacheslav Dubeyko
> <Slava.Dubeyko@ibm.com> wrote:
>>
>
>> > + case HFSPLUS_FILE_THREAD:
>> > + /* Ensure we have at least the fixed fields before reading nodeName.length */
>> > + if (fd->entrylength < offsetof(struct hfsplus_cat_thread, nodeName) +
>> > + offsetof(struct hfsplus_unistr, unicode)) {
>> > + pr_err("thread record too short (got %u)\n", fd->entrylength);
>> > + return -EIO;
>> > + }
>
> The check is in the HFSPLUS_FOLDER_THREAD/HFSPLUS_FILE_THREAD case in
> hfsplus_brec_read_cat() function (fs/hfsplus/bfind.c):
>
> This validates that we have at least the minimum bytes needed before
> calling hfsplus_cat_thread_size() which reads nodeName.length.
Hi,
So... yes, while this is essentially what I recommended, just checking
entrylength against HFSPLUS_MIN_THREAD_SZ will yield the same results,
because:
HFSPLUS_MIN_THREAD_SZ is already defined 10, the same value as the
offsetof chain. hfsplus_readdir() already uses it for the same
guard. It's shorter, consistent with other places and the intent is
immediately clear (easier to read).
Cheers,
C. Mitrodimas
next prev parent reply other threads:[~2026-02-24 9:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-21 6:16 [PATCH v5] hfsplus: fix uninit-value by validating catalog record size Deepanshu Kartikey
2026-02-23 18:58 ` Viacheslav Dubeyko
2026-02-24 3:52 ` Deepanshu Kartikey
2026-02-24 9:56 ` Charalampos Mitrodimas [this message]
2026-02-24 17:53 ` Viacheslav Dubeyko
2026-03-07 1:05 ` Deepanshu Kartikey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pl5ua2iv.fsf@posteo.net \
--to=charmitro@posteo.net \
--cc=Slava.Dubeyko@ibm.com \
--cc=frank.li@vivo.com \
--cc=glaubitz@physik.fu-berlin.de \
--cc=kartikey406@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=slava@dubeyko.com \
--cc=syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox