| Message ID | 8285926250376eb393b69877251b0d6e743b7930.1525384742.git.ernesto.mnd.fernandez@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c index 4bc49e3f171d..4f62634c5666 100644 --- a/fs/hfsplus/super.c +++ b/fs/hfsplus/super.c @@ -524,8 +524,10 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent) goto out_put_root; if (!hfs_brec_read(&fd, &entry, sizeof(entry))) { hfs_find_exit(&fd); - if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) + if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) { + err = -EINVAL; goto out_put_root; + } inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id)); if (IS_ERR(inode)) { err = PTR_ERR(inode);
If the filesystem is corrupted in such a way that the HFS+ Private Data directory is not of type HFSPLUS_FOLDER, the mount will fail without throwing an error code. The vfs layer is then forced to dereference a NULL root dentry. This bug was found by KASAN while running the reproducer provided by syzbot+4f2e5f086147d543ab03@syzkaller.appspotmail.com for a separate issue. Fixes: 5bd9d99d107c ("hfsplus: add error checking for hfs_find_init()") Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com> --- fs/hfsplus/super.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)