Re: [Bug Report] OOB-read BUG in HFS+ filesystem
From: David Sterba
Date: Mon Apr 14 2025 - 12:23:45 EST
On Mon, Apr 14, 2025 at 03:21:56PM +0100, Matthew Wilcox wrote:
> On Mon, Apr 14, 2025 at 04:18:27PM +0200, Christian Brauner wrote:
> > On Mon, Apr 14, 2025 at 09:45:25PM +0800, now4yreal wrote:
> > > Dear Linux Security Maintainers,
> > > I would like to report a OOB-read vulnerability in the HFS+ file
> > > system, which I discovered using our in-house developed kernel fuzzer,
> > > Symsyz.
> >
> > Bug reports from non-official syzbot instances are generally not
> > accepted.
> >
> > hfs and hfsplus are orphaned filesystems since at least 2014. Bug
> > reports for such filesystems won't receive much attention from the core
> > maintainers.
> >
> > I'm very very close to putting them on the chopping block as they're
> > slowly turning into pointless burdens.
>
> I've tried asking some people who are long term Apple & Linux people,
> but haven't been able to find anyone interested in becoming maintainer.
> Let's drop both hfs & hfsplus. Ten years of being unmaintained is
> long enough.
Agreed. If needed there are FUSE implementations to access .dmg files
with HFS/HFS+ or other standalone tools.
https://github.com/0x09/hfsfuse
https://github.com/darlinghq/darling-dmg