[PATCH v3] hfsplus: fix null-ptr-deref in hfsplus_cat_write_inode

[Deepanshu Kartikey]

When a corrupt HFS+ image is mounted where the hidden directory is
absent, hfsplus_fill_super() handles -ENOENT from
hfsplus_get_hidden_dir_entry() silently and continues with
sbi->hidden_dir left as NULL.

hfsplus_link() and hfsplus_unlink() call
hfsplus_cat_write_inode(sbi->hidden_dir) unconditionally without
checking whether hidden_dir is NULL, triggering a general protection
fault caught by KASAN as a null-ptr-deref at offset 0x28.

Other call sites in dir.c already guard against this by checking
hidden_dir for NULL before use. Apply the same guard to the two
unprotected call sites in hfsplus_link() and hfsplus_unlink().

Changes in v3:
  - Correct fix location: guard sbi->hidden_dir before calling
    hfsplus_cat_write_inode() in hfsplus_link() and hfsplus_unlink()
    in dir.c, as suggested by Vyacheslav Dubeyko.

Changes in v2:
  - Fixed commit message: hfsplus_delete_cat() is called from
    multiple callers, not just hfsplus_unlink() as incorrectly
    stated in v1.

Reported-by: syzbot+c0ba772a362e70937dfb@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=c0ba772a362e70937dfb
Tested-by: syzbot+c0ba772a362e70937dfb@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>
---
 fs/hfsplus/dir.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
index d559bf8625f8..a7feef53d8cb 100644
--- a/fs/hfsplus/dir.c
+++ b/fs/hfsplus/dir.c
@@ -362,9 +362,11 @@ static int hfsplus_link(struct dentry *src_dentry, struct inode *dst_dir,
 	if (res)
 		goto out;
 
-	res = hfsplus_cat_write_inode(sbi->hidden_dir);
-	if (res)
-		goto out;
+	if (sbi->hidden_dir) {
+		res = hfsplus_cat_write_inode(sbi->hidden_dir);
+		if (res)
+			goto out;
+	}
 
 	res = hfsplus_cat_write_inode(inode);
 
@@ -431,11 +433,10 @@ static int hfsplus_unlink(struct inode *dir, struct dentry *dentry)
 out:
 	if (!res) {
 		res = hfsplus_cat_write_inode(dir);
-		if (!res) {
+		if (!res && sbi->hidden_dir)
 			res = hfsplus_cat_write_inode(sbi->hidden_dir);
-			if (!res)
-				res = hfsplus_cat_write_inode(inode);
-		}
+		if (!res)
+			res = hfsplus_cat_write_inode(inode);
 	}
 
 	mutex_unlock(&sbi->vh_mutex);
-- 
2.43.0