Re: [PATCH v4] hfs: Validate CNIDs in hfs_read_inode

Next message: Elad Nachman: "RE: [EXTERNAL] [PATCH] net: marvell: prestera: use kzalloc_flex"
Previous message: Sebastian Andrzej Siewior: "Re: RE: RE: [PATCH] Drivers: hv: vmbus: Move add_interrupt_randomness back to real interrupt"
In reply to: George Anthony Vernon: "Re: [PATCH v4] hfs: Validate CNIDs in hfs_read_inode"
Next in thread: George Vernon: "Re: [PATCH v4] hfs: Validate CNIDs in hfs_read_inode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tetsuo Handa

Date: Thu Mar 19 2026 - 06:07:54 EST

On 2026/03/19 7:49, George Anthony Vernon wrote:
> Tetsuo, what do you think about doing your check inside
> hfs_cat_find_brec? Something a bit like this:

Currently hfs_cat_find_brec() is called by only hfs_fill_super()
with cnid == HFS_ROOT_CNID. Are you planning to add more callers?

If no, my patch

- if (rec.type != HFS_CDR_DIR)
+ if (rec.type != HFS_CDR_DIR || rec.dir.DirID != cpu_to_be32(HFS_ROOT_CNID))

is sufficient.

If yes, your

> + if (fd->entrylength > sizeof(rec)) {
> + pr_err("Bad catalog entry size\n");
> + return -EIO;
> + }

part is not compatible with https://elixir.bootlin.com/linux/v7.0-rc4/source/fs/hfs/super.c#L359
which requires that fd->entrylength is exactly 70 bytes in order to make sure that rec.dir is
fully initialized.

sizeof(struct hfs_cat_file) = 102
sizeof(struct hfs_cat_dir) = 70
sizeof(struct hfs_cat_thread) = 46

Even if you are planning to add more callers, my patch will be easier to apply to stable.