From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail3-164.sinamail.sina.com.cn (mail3-164.sinamail.sina.com.cn [202.108.3.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E730175A5 for ; Fri, 1 May 2026 02:45:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.108.3.164 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777603540; cv=none; b=Cp+dZDpwueB9gPVZ2W/SfZiyJPhrcSTyJF5hW2CE0X992EIWjs1Q+aMzPX2k+no8eTEe1ZzyvquAqFaj7Elig+/e4cXxFr1UrYOfAB/eSm62Q8OfUaLOTunDvwRZMZ92Sm82gCkydHzpBVJYpIlU0lQpoEPe7m4fERiXoMMGUI0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777603540; c=relaxed/simple; bh=WWNv5tyPJw62VfyTySInN2959mYyHzQ0kgx+R7gdp3o=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=W3Kdgtyfljw2reuCnpiqMmNw8v+QQMmcGiByprMBnMAdQPuDpC79BLfDG/Uj76eygGM9ZGrgMTqYXgiUdsGdlPv6IR6ak03c2pf4TWUSv+shIO45TmgOtRh7+HXn7YjtupaoloGKQS9HdgO9oAV2qCUYtf3wSSjtNtDguzr8Cvc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sina.com; spf=pass smtp.mailfrom=sina.com; dkim=pass (1024-bit key) header.d=sina.com header.i=@sina.com header.b=lJ6yBRf2; arc=none smtp.client-ip=202.108.3.164 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sina.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=sina.com header.i=@sina.com header.b="lJ6yBRf2" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sina.com; s=201208; t=1777603536; bh=BjsbevHw+3+XurrBNPUNZVHuCrwgQVbQQnCBR4cBkbo=; h=From:Subject:Date:Message-ID; b=lJ6yBRf2a7X7187A/91YkWnTd6wOKXyXsBc1gYxizP5RS6tw4he3Ajpsn4fEeUII5 lxEZAm76i01LAVIxUFec3Ipi6q+rqfepu+Zs69uwCx1Bf7pydTHsCUxUNxyWwLXL3f roRbEXU/73aWBRZcGK6yKsayxswQ/LwzSOO2pFpw= X-SMAIL-HELO: localhost.localdomain Received: from unknown (HELO localhost.localdomain)([114.249.62.144]) by sina.com (10.54.253.32) with ESMTP id 69F4139F000054F9; Fri, 1 May 2026 10:44:49 +0800 (CST) X-Sender: hdanton@sina.com X-Auth-ID: hdanton@sina.com Authentication-Results: sina.com; spf=none smtp.mailfrom=hdanton@sina.com; dkim=none header.i=none; dmarc=none action=none header.from=hdanton@sina.com X-SMAIL-MID: 3665174456667 X-SMAIL-UIID: 4584C8F6242045CFA4598E13E2049E95-20260501-104449-1 From: Hillf Danton To: Tristan Madani Cc: syzbot , linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: Forwarded: Re: [syzbot] [hfs?] KASAN: slab-out-of-bounds Read in hfsplus_bnode_read Date: Fri, 1 May 2026 10:44:39 +0800 Message-ID: <20260501024440.239-1-hdanton@sina.com> In-Reply-To: <69f3da9f.050a0220.312cd3.0003.GAE@google.com> References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit > Date: Thu, 30 Apr 2026 15:41:35 -0700 [thread overview] > For archival purposes, forwarding an incoming command email to > linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. > > *** > > Subject: Re: [syzbot] [hfs?] KASAN: slab-out-of-bounds Read in hfsplus_bnode_read > Author: tristmd@gmail.com > Tristan, can you please correctly fill your cc list as required to avoid this Forwarded message which is a waste of net bandwidth? > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master > > >From 481707e6b354ae2f36603d68c63364b56d6ee6b6 Mon Sep 17 00:00:00 2001 > From: Tristan Madani > Date: Thu, 30 Apr 2026 22:38:32 +0000 > Subject: [PATCH 1/3] hfs/hfsplus: fix u32 overflow in > check_and_correct_requested_length > > check_and_correct_requested_length() compares (off + len) against > node_size using u32 arithmetic. When the caller passes a large len > value (e.g. from an underflowed subtraction in hfs_brec_remove()), > off + len can wrap past 2^32 and produce a small result, causing the > bounds check to pass when it should fail. > > For example, with off=14 and len=0xFFFFFFF2 (underflowed from > data_off - keyoffset - size in hfs_brec_remove), off + len wraps to 6, > which is less than a typical node_size of 512, so the check passes and > the subsequent memmove reads ~4GB past the node buffer. > > Fix this by comparing len against (node_size - off) instead. Since > is_bnode_offset_valid() already guarantees off < node_size before this > point, the subtraction cannot underflow. > > Reported-by: syzbot+6df204b70bf3261691c5@syzkaller.appspotmail.com > Reported-by: syzbot+e76bf3d19b85350571ac@syzkaller.appspotmail.com > Fixes: a431930c9bac ("hfs: fix slab-out-of-bounds in hfs_bnode_read()") > Cc: stable@vger.kernel.org > Signed-off-by: Tristan Madani > --- > fs/hfs/bnode.c | 2 +- > fs/hfsplus/hfsplus_fs.h | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c > index 13d58c51fc46b..c00645a4a5733 100644 > --- a/fs/hfs/bnode.c > +++ b/fs/hfs/bnode.c > @@ -41,7 +41,7 @@ u32 check_and_correct_requested_length(struct hfs_bnode *node, u32 off, u32 len) > > node_size = node->tree->node_size; > > - if ((off + len) > node_size) { > + if (len > node_size - off) { > u32 new_len = node_size - off; > > pr_err("requested length has been corrected: " > diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h > index 3545b8dbf11c5..10b2dda3f8044 100644 > --- a/fs/hfsplus/hfsplus_fs.h > +++ b/fs/hfsplus/hfsplus_fs.h > @@ -600,7 +600,7 @@ u32 check_and_correct_requested_length(struct hfs_bnode *node, u32 off, u32 len) > > node_size = node->tree->node_size; > > - if ((off + len) > node_size) { > + if (len > node_size - off) { > u32 new_len = node_size - off; > > pr_err("requested length has been corrected: " > -- > 2.47.3