From: "Ernesto A. Fernández" <ernesto.mnd.fernandez@gmail.com>
To: syzbot <syzbot+4f2e5f086147d543ab03@syzkaller.appspotmail.com>
Cc: "Andrew Morton" <akpm@linux-foundation.org>,
"Christoph Hellwig" <hch@lst.de>,
"Alexey Khoroshilov" <khoroshilov@ispras.ru>,
"Artem Bityutskiy" <artem.bityutskiy@linux.intel.com>,
"Ernesto A. Fernández" <ernesto.mnd.fernandez@gmail.com>,
linux-fsdevel@vger.kernel.org
Subject: [PATCH 2/2] hfsplus: always return error if fill_super fails
Date: Thu, 3 May 2018 19:10:36 -0300 [thread overview]
Message-ID: <8285926250376eb393b69877251b0d6e743b7930.1525384742.git.ernesto.mnd.fernandez@gmail.com> (raw)
In-Reply-To: <dadb7856c5a0da0fa3c1f2c30f18f09fad62d45d.1525384741.git.ernesto.mnd.fernandez@gmail.com>
If the filesystem is corrupted in such a way that the HFS+ Private Data
directory is not of type HFSPLUS_FOLDER, the mount will fail without
throwing an error code. The vfs layer is then forced to dereference a
NULL root dentry.
This bug was found by KASAN while running the reproducer provided by
syzbot+4f2e5f086147d543ab03@syzkaller.appspotmail.com for a separate
issue.
Fixes: 5bd9d99d107c ("hfsplus: add error checking for hfs_find_init()")
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
---
fs/hfsplus/super.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
index 4bc49e3f171d..4f62634c5666 100644
--- a/fs/hfsplus/super.c
+++ b/fs/hfsplus/super.c
@@ -524,8 +524,10 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent)
goto out_put_root;
if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
hfs_find_exit(&fd);
- if (entry.type != cpu_to_be16(HFSPLUS_FOLDER))
+ if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
+ err = -EINVAL;
goto out_put_root;
+ }
inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id));
if (IS_ERR(inode)) {
err = PTR_ERR(inode);
--
2.11.0
next prev parent reply other threads:[~2018-05-03 22:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-03 22:08 [PATCH 1/2] hfsplus: clean up delayed work if fill_super fails Ernesto A. Fernández
2018-05-03 22:10 ` Ernesto A. Fernández [this message]
2018-05-03 22:31 ` Al Viro
2018-05-08 1:48 ` Ernesto A. Fernández
2018-05-21 2:06 ` [PATCH v3] hfsplus: fix cleanup for hfsplus_fill_super() Ernesto A. Fernández
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8285926250376eb393b69877251b0d6e743b7930.1525384742.git.ernesto.mnd.fernandez@gmail.com \
--to=ernesto.mnd.fernandez@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=artem.bityutskiy@linux.intel.com \
--cc=hch@lst.de \
--cc=khoroshilov@ispras.ru \
--cc=linux-fsdevel@vger.kernel.org \
--cc=syzbot+4f2e5f086147d543ab03@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.