Re: [PATCH v4] hfs: Validate CNIDs in hfs_read_inode

Next message: Biju Das: "RE: [PATCH v4 0/9] Add support for Renesas RZ/G3L SoC and SMARC-EVK platform"
Previous message: Krzysztof Kozlowski: "Re: [PATCH v2 1/2] mmc: dt-bindings: sdhci-of-aspeed: Add AST2700 fallback compatibles"
In reply to: George Anthony Vernon: "Re: [PATCH v4] hfs: Validate CNIDs in hfs_read_inode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tetsuo Handa

Date: Wed Mar 18 2026 - 04:17:39 EST

On 2026/03/18 9:10, George Anthony Vernon wrote:
>> Because of this endian bug, syzbot did not test is_valid_catalog_record() == false case.
>>
> Sorry I don't follow this. How can you tell syzbot did not test the case?

Since is_valid_catalog_record() returns "true" for 0 < cnid < 15 range,
hfs_read_inode() was not validating the cnid which the reproducer would
have hit BUG() in hfs_write_inode(). And the reproducer did not hit BUG()
because BUG() in hfs_write_inode() was removed.

---------- (Run this program on a little endian machine like x86_64.)
#include <stdio.h>
#include <arpa/inet.h>

static int is_valid_catalog_record(unsigned int cnid, unsigned char type)
{
if (cnid >= 16)
return 1;
printf("validate %u\n", cnid);
return 0;
}

int main(int argc, char *argv[])
{
unsigned int i;

printf("wrong order\n");
for (i = 0; i < 20; i++)
is_valid_catalog_record(htonl(i), 0);
printf("correct order\n");
for (i = 0; i < 20; i++)
is_valid_catalog_record(i, 0);
return 0;
}
----------

----------
wrong order
validate 0
correct order
validate 0
validate 1
validate 2
validate 3
validate 4
validate 5
validate 6
validate 7
validate 8
validate 9
validate 10
validate 11
validate 12
validate 13
validate 14
validate 15
----------