On Mon, 2025-08-18 at 22:17 +0800, Chenzhi Yang wrote:
> From: Yang Chenzhi <yang.chenzhi@vivo.com>
>
> When running syzbot with a crafted HFS/HFS+ disk image containing
> invalid record offsets or lengths, the filesystem may hang. For
> example, in this case syzbot set the header’s second record offset
> to 0x7f00 while node_size is 4096. HFS/HFS+ failed to detect this
> fault, which eventually led to a crash.
>
HFS has 512 bytes b-tree node size.
> Since HFS/HFS+ makes heavy use of hfs_brec_lenoff, adding manual
> offset/length checks at every call site would be tedious and
> error-prone.
>
You are mentioning HFS here. But you've shared fix only for HFS+. Are you
planning to share the fix for HFS too?
Thanks,
Slava.
> Instead, it may be more robust to introduce validation directly
> inside hfs_brec_lenoff (or at a similar central point), ensuring
> that all callers can safely rely on the returned offset and length
> without additional checks.
>
> Yang Chenzhi (1):
> hfs: validate record offset in hfsplus_bmap_alloc
>
> fs/hfsplus/bnode.c | 41 ----------------------------------------
> fs/hfsplus/btree.c | 6 ++++++
> fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 48 insertions(+), 41 deletions(-)