Re: [PATCH v4] hfs: Validate CNIDs in hfs_read_inode

[Tetsuo Handa]

On 2026/03/14 3:40, Viacheslav Dubeyko wrote:
> On Fri, 2026-03-13 at 20:03 +0900, Tetsuo Handa wrote:
>> On 2026/03/13 8:13, Viacheslav Dubeyko wrote:
>>>> And even after both changes are applied, my patch still makes sense
>>>> because mount() operation still succeeds for cnid >= 16. :-)
>>>
>>> I don't follow how it could happen. Please, take a look here [1]:
>>
>> Do you remember that you said
>>
>>   "Why do not localize the all checks in hfs_read_inode()?"
>>
> 
> If we still have not correct implementation of hfs_read_inode() flow, then we
> can make it right. The patch is under review yet and it can be changed.
> 

Did you read relevant commit in my patch's description? What you have been
failing to understand is that the value filled in by hfs_bnode_read() can be
corrupted, for the value is given from relevant offset of the file system image.

>>> We request to find exactly HFS_ROOT_CNID. If root folder has another CNID, then
>>> we simply cannot find the record for root folder in Catalog File. So, we never
>>> will call hfs_iget() if we cannot find the record.

Your assumption is absolutely wrong. We request to find HFS_ROOT_CNID, but
there is no guarantee that the CNID value (the value of rec.dir.DirID if
rec.type is HFS_CDR_DIR, or the value of rec->file.FlNum if rec->type is
HFS_CDR_FIL) which is filled in by hfs_bnode_read() is actually HFS_ROOT_CNID,
for the CNID value is nothing but 32bits read from relevant offset of the
file system image.

Since we are passing wrong CNID to hfs_iget(), we can't fix this problem
by updating hfs_read_inode() flow. The correct fix for this report is
"don't call hfs_iget() if CNID is wrong". Your patch can be applies as
a further improvement rather than a fix for this report.