linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jiaming Zhang <r772577952@gmail.com>
To: frank.li@vivo.com, glaubitz@physik.fu-berlin.de,
	 linux-fsdevel@vger.kernel.org, slava@dubeyko.com
Cc: linux-kernel@vger.kernel.org, Jiaming Zhang <r772577952@gmail.com>
Subject: [DISCUSS] Security implications of slab-out-of-bounds Read issue in hfsplus_strcasecmp
Date: Wed, 22 Oct 2025 10:44:45 +0800	[thread overview]
Message-ID: <CANypQFbLkw50aXkdjTbYT2S6me5yowReL2asG__MWveMU=vW0g@mail.gmail.com> (raw)

Hi HFS+ maintainers,

I am starting this thread to discuss the security implications of an
issue in the HFS+ filesystem and to seek your suggestions on whether
it should be assigned a CVE.  I discussed this with the CVE team
earlier, and they suggested I seek opinions from the filesystem
maintainers.

The issue is a slab-out-of-bounds read in hfsplus_strcasecmp(), fixed
by commit 42520df65bf6 ("hfsplus: fix slab-out-of-bounds read in
hfsplus_strcasecmp()"). The issue can be triggered by a corrupted
filesystem image. I also tried to use `fsck.hfsplus` to fix the image,
but the fix failed (exiting with code 8), meaning it would not be
auto-mounted.

This phenomenon means that the barrier to issue exploitation is
relatively high, but I believe the issue's impact still warrants a CVE
for the following reason: it involves kernel-level memory corruption.
If a privileged user attempts to mount a specially crafted HFS+ image
manually, this issue can be triggered, leading to a kernel panic and a
system crash.

A reliable, user-triggered kernel Denial of Service (DoS) is generally
considered a security issue worth tracking.

Given this, I would greatly appreciate your suggestions on whether a
CVE should be assigned to this issue. If you agree, I will follow up
with the CVE team to proceed with the assignment process.

Original issue report:
https://lore.kernel.org/all/CANypQFak7_YYBa_zpa8YmoYzekV_f39jvWJ-STudDUTR2-B_3Q@mail.gmail.com/

Thank you for your time and expertise.

Best regards,
Jiaming Zhang

                 reply	other threads:[~2025-10-22  2:45 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CANypQFbLkw50aXkdjTbYT2S6me5yowReL2asG__MWveMU=vW0g@mail.gmail.com' \
    --to=r772577952@gmail.com \
    --cc=frank.li@vivo.com \
    --cc=glaubitz@physik.fu-berlin.de \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=slava@dubeyko.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).