From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oi1-f197.google.com (mail-oi1-f197.google.com [209.85.167.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D89423603E9 for ; Thu, 2 Jul 2026 05:11:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.197 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782969101; cv=none; b=Q7aLdvKmMJ5ySYTzZ8gR1pBh2OAWwpuMnq2quCtJituU2a3oaljLSQ6IE/qzd9z6ev7d6w9z4eK7kUkFNnR0/yNGqsHE6BFlsdcfTW2QZa3zDrvn3P06XsODjb9IYybr6v7/zLFds/dD0CQSs4g6WZJwhYYLnAsi36pp63d8akY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782969101; c=relaxed/simple; bh=aI7Qv4ffTbXYvvegoemypWrPcEMD0+bA9II2xaFkYvM=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=jvdvJXPP8awg8PS6wfz2poU8zrrqZscXynWentcLnoAIRV40ArYvgzZb8kuiQW5UctqKBaxTANa9LDo3VGy1bXiL9eZTb5yKPh+Xlnw2cBZrRK8qMy+lQdUQx7hnxem2CGZ3ShlYTx+tUHXaZT+oPjtg3ry4T2FyaGjHqcVStu0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.167.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oi1-f197.google.com with SMTP id 5614622812f47-495b0cf250dso1292059b6e.3 for ; Wed, 01 Jul 2026 22:11:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782969099; x=1783573899; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fcw5iQANEukwSlaAV2GdqiVKNDeJuwfbxxjaYubM534=; b=bzf4pzxYHKz0FdyAAqu7jTCPaJFK/2GNwgQRFJVxjX6dTupsBwdH0ryEjGfQ8OSZO+ Wkar+ctL1D2YM8icGlhiQ/DXbYcr9xx3WsWBKk/eq1OgJseW6gwwVNR0Xd5ZwxREgY+a 78QqKfzb6aleJHG1NHb3674UNM4jJSAZrsykj8I+tQYQBN50HRu/IL771pWH8x1Jk523 MZAjzA/u79MSzGNJR84zpZpuylilrqMEKdZe4n7x0sSsvvPwTULNYaB2h2zy05boMCdc sFMI8tzlttmuSFuBNOs6eklvwM7sr3DblWh2RCGmeha1SIVmmk/VYLTFul4U82yVnAI3 uViw== X-Gm-Message-State: AOJu0YwuvEqi6VRP0KfMFIrqTGq3rHvmzB/bKMZQjl/WOPUTUlYR6mnt Xrglu+dsyi3SwXpW9o7DYI9F4CUKVrIN8Eapj3zldBM/3KsK3cwHsyOwANVFzD7wQeA8q0r7Wv7 VbqGetJwYHAmWvPXl3/mcCf/RM9SGFLMPIxQ//bdvGY7DoiSElJCt8/dO0II= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6808:1811:b0:495:f643:576f with SMTP id 5614622812f47-4960eed3aecmr3419139b6e.26.1782969099059; Wed, 01 Jul 2026 22:11:39 -0700 (PDT) Date: Wed, 01 Jul 2026 22:11:39 -0700 In-Reply-To: <00000000000089f55405ee486239@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <6a45f30b.6912059f.e0473.0000.GAE@google.com> Subject: Forwarded: [PATCH] hfs: validate catalog CNIDs before instantiating inodes From: syzbot To: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org. *** Subject: [PATCH] hfs: validate catalog CNIDs before instantiating inodes Author: davemadmaxxx@gmail.com hfs_cat_find_brec() first resolves a catalog thread record by CNID and then looks up the corresponding catalog record by parent/name. On a corrupted filesystem image, the second lookup may find a record whose CNID does not match the CNID that was requested. Validate the catalog record found by the second lookup before returning it to callers. Inspect the already-found record with hfs_bnode_read(), not hfs_brec_read(), and reject records whose CNID is invalid for their record type or does not match the requested CNID. Also validate CNIDs in hfs_read_inode() before the inode is populated, and propagate hfs_read_inode() errors from the resource-fork lookup path. For the root inode path, require the root catalog record to be a directory with DirID == HFS_ROOT_CNID, and drop the root inode reference if it was instantiated as a bad inode. This keeps hfs_write_inode() unchanged and prevents corrupted catalog records from reaching the existing reserved-CNID BUG() path during writeback. Reported-by: syzbot+97e301b4b82ae803d21b@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b Cc: George Anthony Vernon Cc: Tetsuo Handa Signed-off-by: David Maximiliano Hermitte #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master --- fs/hfs/catalog.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++- fs/hfs/hfs_fs.h | 19 +++++++++++++++++++ fs/hfs/inode.c | 9 ++++++++- fs/hfs/super.c | 8 +++++++- 4 files changed, 81 insertions(+), 3 deletions(-) diff --git a/fs/hfs/catalog.c b/fs/hfs/catalog.c index 1bfa36d71e24..fa2a0a5975e3 100644 --- a/fs/hfs/catalog.c +++ b/fs/hfs/catalog.c @@ -182,6 +182,47 @@ int hfs_cat_keycmp(const btree_key *key1, const btree_key *key2) key2->cat.CName.name, key2->cat.CName.len); } +static int hfs_cat_validate_found_cnid(struct hfs_find_data *fd, u32 cnid) +{ + hfs_cat_rec rec; + u32 found_cnid; + unsigned int rec_len; + size_t cnid_off; + + if (fd->entrylength <= 0) + return -EIO; + + if ((unsigned int)fd->entrylength > sizeof(rec)) + rec_len = sizeof(rec); + else + rec_len = fd->entrylength; + + memset(&rec, 0, sizeof(rec)); + hfs_bnode_read(fd->bnode, &rec, fd->entryoffset, rec_len); + + switch (rec.type) { + case HFS_CDR_FIL: + cnid_off = offsetof(struct hfs_cat_file, FlNum); + if ((size_t)rec_len < cnid_off + sizeof(rec.file.FlNum)) + return -EIO; + found_cnid = be32_to_cpu(rec.file.FlNum); + break; + case HFS_CDR_DIR: + cnid_off = offsetof(struct hfs_cat_dir, DirID); + if ((size_t)rec_len < cnid_off + sizeof(rec.dir.DirID)) + return -EIO; + found_cnid = be32_to_cpu(rec.dir.DirID); + break; + default: + return -EIO; + } + + if (!hfs_is_valid_cnid(found_cnid, rec.type) || found_cnid != cnid) + return -EIO; + + return 0; +} + /* Try to get a catalog entry for given catalog id */ // move to read_super??? int hfs_cat_find_brec(struct super_block *sb, u32 cnid, @@ -208,7 +249,12 @@ int hfs_cat_find_brec(struct super_block *sb, u32 cnid, return -EIO; } memcpy(fd->search_key->cat.CName.name, rec.thread.CName.name, len); - return hfs_brec_find(fd); + + res = hfs_brec_find(fd); + if (res) + return res; + + return hfs_cat_validate_found_cnid(fd, cnid); } static inline diff --git a/fs/hfs/hfs_fs.h b/fs/hfs/hfs_fs.h index f3624514fcb0..670638f17438 100644 --- a/fs/hfs/hfs_fs.h +++ b/fs/hfs/hfs_fs.h @@ -155,6 +155,25 @@ extern int hfs_cat_move(u32 cnid, struct inode *src_dir, extern void hfs_cat_build_key(struct super_block *sb, btree_key *key, u32 parent, const struct qstr *name); +/* + * Validate the CNID of a catalog record. + */ +static inline bool hfs_is_valid_cnid(u32 cnid, u8 type) +{ + if (likely(cnid >= HFS_FIRSTUSER_CNID)) + return true; + + switch (cnid) { + case HFS_ROOT_CNID: + return type == HFS_CDR_DIR; + case HFS_EXT_CNID: + case HFS_CAT_CNID: + return type == HFS_CDR_FIL; + default: + return false; + } +} + /* dir.c */ extern const struct file_operations hfs_dir_operations; extern const struct inode_operations hfs_dir_inode_operations; diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c index ac4a9055c5c0..c685f1bb7009 100644 --- a/fs/hfs/inode.c +++ b/fs/hfs/inode.c @@ -367,6 +367,9 @@ static int hfs_read_inode(struct inode *inode, void *data) rec = idata->rec; switch (rec->type) { case HFS_CDR_FIL: + if (!hfs_is_valid_cnid(be32_to_cpu(rec->file.FlNum), rec->type)) + return -EIO; + if (!HFS_IS_RSRC(inode)) { hfs_inode_read_fork(inode, rec->file.ExtRec, rec->file.LgLen, rec->file.PyLen, be16_to_cpu(rec->file.ClpSize)); @@ -390,6 +393,9 @@ static int hfs_read_inode(struct inode *inode, void *data) inode->i_mapping->a_ops = &hfs_aops; break; case HFS_CDR_DIR: + if (!hfs_is_valid_cnid(be32_to_cpu(rec->dir.DirID), rec->type)) + return -EIO; + inode->i_ino = be32_to_cpu(rec->dir.DirID); inode->i_size = be16_to_cpu(rec->dir.Val) + 2; HFS_I(inode)->fs_blocks = 0; @@ -571,7 +577,8 @@ static struct dentry *hfs_file_lookup(struct inode *dir, struct dentry *dentry, res = hfs_brec_read(&fd, &rec, sizeof(rec)); if (!res) { struct hfs_iget_data idata = { NULL, &rec }; - hfs_read_inode(inode, &idata); + + res = hfs_read_inode(inode, &idata); } hfs_find_exit(&fd); if (res) { diff --git a/fs/hfs/super.c b/fs/hfs/super.c index a466c401f6bb..5275936304c7 100644 --- a/fs/hfs/super.c +++ b/fs/hfs/super.c @@ -361,7 +361,8 @@ static int hfs_fill_super(struct super_block *sb, struct fs_context *fc) goto bail_hfs_find; } hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength); - if (rec.type != HFS_CDR_DIR) + if (rec.type != HFS_CDR_DIR || + be32_to_cpu(rec.dir.DirID) != HFS_ROOT_CNID) res = -EIO; } if (res) @@ -372,6 +373,11 @@ static int hfs_fill_super(struct super_block *sb, struct fs_context *fc) if (!root_inode) goto bail_no_root; + if (is_bad_inode(root_inode)) { + iput(root_inode); + goto bail_no_root; + } + set_default_d_op(sb, &hfs_dentry_operations); res = -ENOMEM; sb->s_root = d_make_root(root_inode); -- 2.43.0