From nobody Thu Feb 12 01:45:55 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 20278C77B73
	for <linux-kernel@archiver.kernel.org>; Sun, 30 Apr 2023 12:14:12 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231730AbjD3MOK (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Sun, 30 Apr 2023 08:14:10 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47156 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231267AbjD3MNp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 30 Apr 2023 08:13:45 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org
 [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8B78C3ABC;
        Sun, 30 Apr 2023 05:13:31 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 03D166135B;
        Sun, 30 Apr 2023 12:13:31 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 06275C433D2;
        Sun, 30 Apr 2023 12:13:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1682856810;
        bh=Em5dwMslQ2jA0WLZxkNwnr2/vcYmurjxR414Gb+YVak=;
        h=From:To:Cc:Subject:Date:From;
        b=Zngr7e+pIDMCm9al8V5LVkejrK06GcrgQHuFqwCN+6fguz02QoSaVaRJZ+JZj9Nbm
         /Dzcv1fN2nGktLrtKuBuuJV/4AXkwG9cto6gJz1lDc5tIg+sQ1kAgmFkCY8FceKBTK
         P1eJf0md3hi/6GH+DGbRY5P72Zuqlm+SqTUekQsEsuwTFuRzTULRn+WRUWxuTQW9Tu
         ZlGuWhZX0ZxPWXNfqDm1YIw8fzR9GQIl+WKums8rWPxJQKw9Qqe3um3XT6xfCNgicK
         O8MJLl++I/2ckNLQVaoeC7n9zjFh2+QLA07YX8NQV/vFv7sYSG/ggIXcoMgDMnCInz
         /6yPUgfIYvHrw==
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
        syzbot <syzbot+e2787430e752a92b8750@syzkaller.appspotmail.com>,
        syzbot <syzbot+4913dca2ea6e4d43f3f1@syzkaller.appspotmail.com>,
        Viacheslav Dubeyko <slava@dubeyko.com>,
        Christian Brauner <brauner@kernel.org>,
        Sasha Levin <sashal@kernel.org>, willy@infradead.org,
        dchinner@redhat.com, akpm@linux-foundation.org, jlayton@kernel.org,
        gargaditya08@live.com, linux-fsdevel@vger.kernel.org
Subject: [PATCH AUTOSEL 5.15] fs: hfsplus: remove WARN_ON() from
 hfsplus_cat_{read,write}_inode()
Date: Sun, 30 Apr 2023 08:13:25 -0400
Message-Id: <20230430121327.3197791-1-sashal@kernel.org>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
X-stable: review
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

[ Upstream commit 81b21c0f0138ff5a499eafc3eb0578ad2a99622c ]

syzbot is hitting WARN_ON() in hfsplus_cat_{read,write}_inode(), for
crafted filesystem image can contain bogus length. There conditions are
not kernel bugs that can justify kernel to panic.

Reported-by: syzbot <syzbot+e2787430e752a92b8750@syzkaller.appspotmail.com>
Link: https://syzkaller.appspot.com/bug?extid=3De2787430e752a92b8750
Reported-by: syzbot <syzbot+4913dca2ea6e4d43f3f1@syzkaller.appspotmail.com>
Link: https://syzkaller.appspot.com/bug?extid=3D4913dca2ea6e4d43f3f1
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Message-Id: <15308173-5252-d6a3-ae3b-e96d46cb6f41@I-love.SAKURA.ne.jp>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/hfsplus/inode.c | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c
index bf6f75f569e4d..87bc222dc9062 100644
--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@ -509,7 +509,11 @@ int hfsplus_cat_read_inode(struct inode *inode, struct=
 hfs_find_data *fd)
 	if (type =3D=3D HFSPLUS_FOLDER) {
 		struct hfsplus_cat_folder *folder =3D &entry.folder;
=20
-		WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_folder));
+		if (fd->entrylength < sizeof(struct hfsplus_cat_folder)) {
+			pr_err("bad catalog folder entry\n");
+			res =3D -EIO;
+			goto out;
+		}
 		hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
 					sizeof(struct hfsplus_cat_folder));
 		hfsplus_get_perms(inode, &folder->permissions, 1);
@@ -529,7 +533,11 @@ int hfsplus_cat_read_inode(struct inode *inode, struct=
 hfs_find_data *fd)
 	} else if (type =3D=3D HFSPLUS_FILE) {
 		struct hfsplus_cat_file *file =3D &entry.file;
=20
-		WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_file));
+		if (fd->entrylength < sizeof(struct hfsplus_cat_file)) {
+			pr_err("bad catalog file entry\n");
+			res =3D -EIO;
+			goto out;
+		}
 		hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
 					sizeof(struct hfsplus_cat_file));
=20
@@ -560,6 +568,7 @@ int hfsplus_cat_read_inode(struct inode *inode, struct =
hfs_find_data *fd)
 		pr_err("bad catalog entry used to create inode\n");
 		res =3D -EIO;
 	}
+out:
 	return res;
 }
=20
@@ -568,6 +577,7 @@ int hfsplus_cat_write_inode(struct inode *inode)
 	struct inode *main_inode =3D inode;
 	struct hfs_find_data fd;
 	hfsplus_cat_entry entry;
+	int res =3D 0;
=20
 	if (HFSPLUS_IS_RSRC(inode))
 		main_inode =3D HFSPLUS_I(inode)->rsrc_inode;
@@ -586,7 +596,11 @@ int hfsplus_cat_write_inode(struct inode *inode)
 	if (S_ISDIR(main_inode->i_mode)) {
 		struct hfsplus_cat_folder *folder =3D &entry.folder;
=20
-		WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_folder));
+		if (fd.entrylength < sizeof(struct hfsplus_cat_folder)) {
+			pr_err("bad catalog folder entry\n");
+			res =3D -EIO;
+			goto out;
+		}
 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
 					sizeof(struct hfsplus_cat_folder));
 		/* simple node checks? */
@@ -611,7 +625,11 @@ int hfsplus_cat_write_inode(struct inode *inode)
 	} else {
 		struct hfsplus_cat_file *file =3D &entry.file;
=20
-		WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_file));
+		if (fd.entrylength < sizeof(struct hfsplus_cat_file)) {
+			pr_err("bad catalog file entry\n");
+			res =3D -EIO;
+			goto out;
+		}
 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
 					sizeof(struct hfsplus_cat_file));
 		hfsplus_inode_write_fork(inode, &file->data_fork);
@@ -632,7 +650,7 @@ int hfsplus_cat_write_inode(struct inode *inode)
 	set_bit(HFSPLUS_I_CAT_DIRTY, &HFSPLUS_I(inode)->flags);
 out:
 	hfs_find_exit(&fd);
-	return 0;
+	return res;
 }
=20
 int hfsplus_fileattr_get(struct dentry *dentry, struct fileattr *fa)
--=20
2.39.2