Re: [PATCH v4] hfs: Validate CNIDs in hfs_read_inode

Next message: Li Ming: "Re: [PATCH 2/7] cxl/memdev: Hold memdev lock during memdev poison injection/clear"
Previous message: Steven Price: "Re: [PATCH v12 06/46] arm64: RMI: Define the user ABI"
In reply to: George Anthony Vernon: "[PATCH v4] hfs: Validate CNIDs in hfs_read_inode"
Next in thread: Viacheslav Dubeyko: "RE: [PATCH v4] hfs: Validate CNIDs in hfs_read_inode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tetsuo Handa

Date: Thu Mar 12 2026 - 06:46:45 EST

Since is_valid_catalog_record() is called before inode->i_ino is assigned,

+ pr_warn("Invalid inode with cnid %lu\n", inode->i_ino);

always prints 0.

kernel test robot <lkp@xxxxxxxxx> reported that this patch needs below change.

- if (!is_valid_catalog_record(rec->file.FlNum, rec->type))
+ if (!is_valid_catalog_record(be32_to_cpu(rec->file.FlNum), rec->type))

- if (!is_valid_catalog_record(rec->dir.DirID, rec->type))
+ if (!is_valid_catalog_record(be32_to_cpu(rec->dir.DirID), rec->type))

Because of this endian bug, syzbot did not test is_valid_catalog_record() == false case.

This patch also needs below change.

- if (!root_inode || is_bad_inode(root_inode))
+ if (!root_inode)
goto bail_no_root;
+ if (is_bad_inode(root_inode)) {
+ iput(root_inode);
+ goto bail_no_root;
+ }

Since this bug is reported when "rmmod hfs" is done, syzbot would not be
able to find this bug.

And even after both changes are applied, my patch still makes sense
because mount() operation still succeeds for cnid >= 16. :-)