hfsplus: add check for cat key length

Message ID	tencent_E298974436464AA47527762F67923C3D3609@qq.com (mailing list archive)
State	New
Headers	show Received: from out203-205-221-202.mail.qq.com (out203-205-221-202.mail.qq.com [203.205.221.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2BE721D358B; Wed, 6 Nov 2024 10:03:26 +0000 (UTC) Message-ID: <tencent_E298974436464AA47527762F67923C3D3609@qq.com> From: Edward Adam Davis <eadavis@qq.com> To: syzbot+968ecf5dc01b3e0148ec@syzkaller.appspotmail.com Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: [PATCH] hfsplus: add check for cat key length Date: Wed, 6 Nov 2024 17:58:07 +0800 In-Reply-To: <672af85a.050a0220.2edce.151c.GAE@google.com> References: <672af85a.050a0220.2edce.151c.GAE@google.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	hfsplus: add check for cat key length \| expand hfsplus: add check for cat key length

Message ID

tencent_E298974436464AA47527762F67923C3D3609@qq.com (mailing list archive)

State

New

Headers

Message-ID: <tencent_E298974436464AA47527762F67923C3D3609@qq.com>
From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+968ecf5dc01b3e0148ec@syzkaller.appspotmail.com
Cc: linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: [PATCH] hfsplus: add check for cat key length
Date: Wed,  6 Nov 2024 17:58:07 +0800
In-Reply-To: <672af85a.050a0220.2edce.151c.GAE@google.com>
References: <672af85a.050a0220.2edce.151c.GAE@google.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

hfsplus: add check for cat key length | expand

Commit Message

Edward Adam Davis Nov. 6, 2024, 9:58 a.m. UTC

Syzbot reported a uninit-value in hfsplus_cat_bin_cmp_key.
The result of reading from the raw data of the node in hfs_bnode_read_u16()
is 0, and the final calculated catalog key length is 2, which will eventually
lead to too little key data read from the node to initialize the parent member
of struct hfsplus_cat_key.

The solution is to increase the key length judgment, and terminate the
subsequent operations if it is too small.

#syz test

Reported-by: syzbot+968ecf5dc01b3e0148ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=968ecf5dc01b3e0148ec
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/hfsplus/brec.c | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

syzbot Nov. 6, 2024, 9:48 p.m. UTC | #1

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+968ecf5dc01b3e0148ec@syzkaller.appspotmail.com
Tested-by: syzbot+968ecf5dc01b3e0148ec@syzkaller.appspotmail.com

Tested on:

commit:         f43b1569 Merge tag 'keys-next-6.12-rc7' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=158176a7980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6fdf74cce377223b
dashboard link: https://syzkaller.appspot.com/bug?extid=968ecf5dc01b3e0148ec
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1744ce30580000

Note: testing is done by a robot and is best-effort only.

diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c
index 1918544a7871..da38638ad808 100644
--- a/fs/hfsplus/brec.c
+++ b/fs/hfsplus/brec.c
@@ -51,6 +51,13 @@  u16 hfs_brec_keylen(struct hfs_bnode *node, u16 rec)
 		}
 
 		retval = hfs_bnode_read_u16(node, recoff) + 2;
+		if (node->tree->cnid == HFSPLUS_CAT_CNID &&
+		    retval < offsetof(struct hfsplus_cat_key, parent) +
+			     sizeof(hfsplus_cnid)) {
+			pr_err("keylen %d too small\n",
+				retval);
+			return 0;
+		}
 		if (retval > node->tree->max_key_len + 2) {
 			pr_err("keylen %d too large\n",
 				retval);

hfsplus: add check for cat key length

Commit Message

Comments

Patch