Re: [PATCH v2] hfsplus: Add a sanity check for btree node size

From: Edward Adam Davis

Date: Thu Apr 16 2026 - 19:39:37 EST

On Thu, 16 Apr 2026 15:16:15 -0700, Viacheslav Dubeyko wrote:
> > Syzbot reported an uninit-value bug in [1] with a corrupted HFS+ image,
> > during the file system mounting process, specifically while loading the
> > catalog, a corrupted node_size value of 1 caused the rec_off argument
> > passed to hfs_bnode_read_u16() (within hfs_bnode_find()) to be excessively
> > large. Consequently, the function failed to return a valid value to
> > initialize the off variable, triggering the bug [1].
> >
> > Every node starts from BTree node descriptor: struct hfs_bnode_desc.
> > So, the size of node cannot be lesser than that. However, technical
> > specification declares that: "The node size (which is expressed in bytes)
> > must be power of two, from 512 through 32,768, inclusive." Add a check
> > for btree node size base on technical specification.
> >
> > [1]
> > BUG: KMSAN: uninit-value in hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
> > hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
> > hfsplus_btree_open+0x169a/0x1e40 fs/hfsplus/btree.c:382
> > hfsplus_fill_super+0x111f/0x2770 fs/hfsplus/super.c:553
> > get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694
> > get_tree_bdev+0x38/0x50 fs/super.c:1717
> > hfsplus_get_tree+0x35/0x40 fs/hfsplus/super.c:709
> > vfs_get_tree+0xb3/0x5d0 fs/super.c:1754
> > fc_mount fs/namespace.c:1193 [inline]
> >
> > Fixes: 8ad2c6a36ac4 ("hfsplus: validate b-tree node 0 bitmap at mount time")
> > Reported-by: syzbot+217eb327242d08197efb@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
> > Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
> > ---
> > v1 -> v2: change check base on technical specification
> >
> > fs/hfsplus/btree.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
> > index 761c74ccd653..857705c3fe0d 100644
> > --- a/fs/hfsplus/btree.c
> > +++ b/fs/hfsplus/btree.c
> > @@ -365,6 +365,8 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id)
> > }
> >
> > size = tree->node_size;
> > + if (size < sb->s_blocksize || size > HFSPLUS_NODE_MXSZ)
>
> Technically speaking, you are right that b-tree node size should be aligned on
> logical block size. However, I am not sure that mkfs.hfsplus restricts the
> creation of volume with b-tree's node size smaller than logical block size but
> still in the required range of sizes.
>
> Maybe, we need to declare the constant of HFSPLUS_NODE_MINSZ (512) and to check
> this constant instead of logical block size. What do you think?
Hmm, that's much safer.

Edward
BR