Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp381521imm; Tue, 15 May 2018 03:10:30 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqE2smPb5GENOy9kmgCpX1uh6Rh8see63qF5/1Sei3eVdIbopnKLFA60o5wEvjpHf/cJvxj X-Received: by 2002:a63:4202:: with SMTP id p2-v6mr1368352pga.137.1526379029960; Tue, 15 May 2018 03:10:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526379029; cv=none; d=google.com; s=arc-20160816; b=mERLz9S4QLVlbTD2ZqkQhPS3T6Qx2ee4CA29kT9l9MG3SurnmhSrNtoqgJxY+nDKIE sNSwESPz6JBbNALZuIZ7kr3CnS/IroE6taJXUMt9ARtmGDT9eei3ZIBs3zyxohcbDivn Kayq64fCPgEfkIXtUe7PkBLIBsQOREqhHWNAj5GfiwyCHX2kBbPCK2VdkE8upoOCpoj8 6frneH2l6Mxjwj2JOelJnAbYw5Yj02nd4vawo+nblc6oMty5RYT7B+26DemxdxGx16M4 025p8dalQAXQlQY75KJcrLHo26Z/qeyeGhnqCmBoU+TCK87KndpAMkHsf2D/zfvxobo5 uUmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:cc:references:to:subject:arc-authentication-results; bh=mBM1BhHDqcVsaauuJXNp8gzmwsH0Fp367DkEqKX9arI=; b=cfcbETx2cFKlZQSs0vGSGloFxJyMj65qkv1NfKR/nqR7cA9hnHfXmL/WG1qo+FJS6Z fIOLEQmMo0s+RoscB68Y8hHnSyiDZEBNNkje4lXNv+yTe9jMbiB+0qjsoPzDYYgn5HbH 44rEGDIGmFjQdo0ddncvskdBgpDrxFezOqgNcadwVQBaahF9ZQCS1DbYkbxoP8EnVAxh iYHOhQGui1V6USzcpXZnvNWp2ZyxRKQe8HqyjFBu0yXRIbJ+tIP6RtxZP/5oD5nWx0PH COxmtkPawm3OdBQD24/79WjFew1C34St2/x31lrJTheBJsj59hBWOPiIjcIF0ayrAlH/ 34lw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b66-v6si11609491plb.107.2018.05.15.03.10.15; Tue, 15 May 2018 03:10:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752767AbeEOKIj (ORCPT + 99 others); Tue, 15 May 2018 06:08:39 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:32028 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752636AbeEOKIh (ORCPT ); Tue, 15 May 2018 06:08:37 -0400 Received: from fsav103.sakura.ne.jp (fsav103.sakura.ne.jp [27.133.134.230]) by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id w4FA8TWP071717; Tue, 15 May 2018 19:08:29 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav103.sakura.ne.jp (F-Secure/fsigk_smtp/530/fsav103.sakura.ne.jp); Tue, 15 May 2018 19:08:29 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/530/fsav103.sakura.ne.jp) Received: from [192.168.1.8] (softbank126074194044.bbtec.net [126.74.194.44]) (authenticated bits=0) by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id w4FA8OPF071644 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 15 May 2018 19:08:29 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Subject: [PATCH] hfsplus: don't return 0 when fill_super() failed To: syzbot , syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk References: <001a114467485371b605691053fc@google.com> Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org From: Tetsuo Handa Message-ID: Date: Tue, 15 May 2018 19:08:24 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <001a114467485371b605691053fc@google.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From f78a5fe168290cb9e009f4d907d04b5bfe277831 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Tue, 15 May 2018 11:38:38 +0900 Subject: [PATCH] hfsplus: don't return 0 when fill_super() failed syzbot is reporting NULL pointer dereference at mount_fs() [1]. This is because hfsplus_fill_super() is by error returning 0 when hfsplus_fill_super() detected invalid filesystem image, and mount_bdev() is returning NULL because dget(s->s_root) == NULL if s->s_root == NULL, and mount_fs() is accessing root->d_sb because IS_ERR(root) == false if root == NULL. Fix this by returning -EINVAL when hfsplus_fill_super() detected invalid filesystem image. [1] https://syzkaller.appspot.com/bug?id=21acb6850cecbc960c927229e597158cf35f33d0 Signed-off-by: Tetsuo Handa Reported-by: syzbot Cc: Al Viro --- fs/hfsplus/super.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c index 513c357..9e690ae 100644 --- a/fs/hfsplus/super.c +++ b/fs/hfsplus/super.c @@ -524,8 +524,10 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent) goto out_put_root; if (!hfs_brec_read(&fd, &entry, sizeof(entry))) { hfs_find_exit(&fd); - if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) + if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) { + err = -EINVAL; goto out_put_root; + } inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id)); if (IS_ERR(inode)) { err = PTR_ERR(inode); -- 1.8.3.1