Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp789663pxa;
        Wed, 12 Aug 2020 13:25:43 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwwqtkrhz2PP9d4LJCNyg/ORvxgSpZ7hJhMH7g91pX38dcKAirszRmlksvjFnRkUp93P3H1
X-Received: by 2002:a17:906:8149:: with SMTP id z9mr1574480ejw.356.1597263943748;
        Wed, 12 Aug 2020 13:25:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1597263943; cv=none;
        d=google.com; s=arc-20160816;
        b=u9T+1w/KCmMWzE1stsxbNUdY69Eye2P3Zr8M0XXS3QKYIVbmaTB3SRn1nN19uUgkbZ
         hhTPqS23rwvg4Pg427z+J2VBML0S8Xa90+T54h+EGp+bAfrvsqvC54NixUBISht7IVgH
         i17uFQI6eUcxTPdmOyEVgFaWkzf5S8lzDF7nCqPJ3eecZXb6tJMa9K/5uemwTK+nuBgc
         WmU+Vu8aMogBk6qfz4o7UXiR73h6/JIkIMD6IEWLcsw5XT4ZbEoWaHgoF+LiOLMl++Hl
         kg1wSvMkIUG0cTyPt5gR4J0AjMC1PsqOQcQXOodBbqHwGOFPbg+29snSt4XlmREaEJxA
         HcJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=0JwWTfgMUWwOG2VdFhmTHy70OqTVhWrEaTFFUPlZs44=;
        b=IAC7gUbydlWDHRKzQORr9cyfag4w+KSA3bPEzRKGJ7fAulQFUDfruZPQyPw8ZCFyPD
         o3nPEwfSEAJjAiIwfL7PA2DOVjfw1XHh7knNxHNqOE9Iao+sxTrgUZsRmPrjFOwEH6TQ
         m5HiofFqpqsQ9AqNyrEiixZZo0LzAH3Nb8K7KMVMCDq2KWR1AJA2AE1YQId8jvXYEfFc
         ZN2DnwUcPjjrsOjTOLK/2TDxbBmLHrLvQzCR/xh+m7I5Lw2yBBvcpHyIUsrJOvWjeODK
         AlqMoHzQBTExxRaxjA24MWF9uBZnpBZKcC42Mr9iDJ0IWmSHhI55hwxN7f0tYsuDUu86
         yKFQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=n0hmcigv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id l21si1823111ejq.594.2020.08.12.13.25.20;
        Wed, 12 Aug 2020 13:25:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=n0hmcigv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726568AbgHLUYa (ORCPT <rfc822;zcyberian@gmail.com> + 99 others);
        Wed, 12 Aug 2020 16:24:30 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44652 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726547AbgHLUY3 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 12 Aug 2020 16:24:29 -0400
Received: from mail-qt1-x843.google.com (mail-qt1-x843.google.com [IPv6:2607:f8b0:4864:20::843])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B9B70C061383;
        Wed, 12 Aug 2020 13:24:28 -0700 (PDT)
Received: by mail-qt1-x843.google.com with SMTP id d27so2585185qtg.4;
        Wed, 12 Aug 2020 13:24:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=0JwWTfgMUWwOG2VdFhmTHy70OqTVhWrEaTFFUPlZs44=;
        b=n0hmcigv9AKqbYE9d8oRnL6p+38s8wXErBjMvc7vQCCJBe0VpT63Gr69kEk1wj3ME0
         yOLvVHPCf2J/EXKXQf27oneydYsig124HqHtDulBSQ3+9KbNxXJnISSupJZUzu5ipGTz
         Jnamunb7x2te6cWrDnOuw4sYtQ/YHYliT7mbida19VNs+QhkdUpLc8lPl3/ovy4AEYZ+
         GPMqn5623Xp6d229Y9HVwiYkDjkHZqfJd2Egs8/WlWKnZ1qD22FTrBFTc3eVsEZUYgdp
         li4oC3tz6AFGDf5YVoeDmCzoJZbr4KtogcOQL7d7vncFD9WmwUYs8jgx/eGt5JHb8XEr
         +BNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=0JwWTfgMUWwOG2VdFhmTHy70OqTVhWrEaTFFUPlZs44=;
        b=FMKu4j4xEEgWgACQi671eXJdMhBA7EP/hKVN7d+porQ/Mukie0r0uj0m+PvK8ScdsV
         5uAMFcIomqICnqBKt3xMpuND+PCVUYP78/b5aCk2F26sBr4d8K/QT4CVXdIGIrScVMBC
         VKSg86UD31MmrLNjbO4gaSXaljueeTQEjh5vH+ne4NQt+sZnHLBMT+7kk6IbMVZsaVIu
         gNG2HFxIpm5a6jcU6qerjGIB3Igs0ffzSfMJk8yZb7iDlwtgmPIfayElQlkduQXZONTy
         Zooe2qMrtRK7bXm6NCzd87wM4uWlR1xhz3g7X98iqaIjQ+rjQ4bpAMLzq0wORD0FLjpN
         moPA==
X-Gm-Message-State: AOAM533JKG6L2gMQVCuqCx/Eli44YShEMeQfMBa4WCBIY5vBL1Kr2mxF
        wevNMYDjp5lWDK3k79smMMg=
X-Received: by 2002:ac8:7606:: with SMTP id t6mr1585661qtq.348.1597263867572;
        Wed, 12 Aug 2020 13:24:27 -0700 (PDT)
Received: from eaf ([190.19.79.86])
        by smtp.gmail.com with ESMTPSA id g136sm3324516qke.82.2020.08.12.13.24.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 12 Aug 2020 13:24:26 -0700 (PDT)
Date:   Wed, 12 Aug 2020 17:24:20 -0300
From:   Ernesto =?utf-8?Q?A=2E_Fern=C3=A1ndez?= 
        <ernesto.mnd.fernandez@gmail.com>
To:     Dan Carpenter <dan.carpenter@oracle.com>
Cc:     Peilin Ye <yepeilin.cs@gmail.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-fsdevel@vger.kernel.org,
        linux-kernel-mentees@lists.linuxfoundation.org,
        syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org
Subject: Re: [Linux-kernel-mentees] [PATCH] hfs, hfsplus: Fix NULL pointer
 dereference in hfs_find_init()
Message-ID: <20200812202420.GA5873@eaf>
References: <20200812065556.869508-1-yepeilin.cs@gmail.com>
 <20200812070827.GA1304640@kroah.com>
 <20200812071306.GA869606@PWN>
 <20200812085904.GA16441@kadam>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200812085904.GA16441@kadam>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi,

On Wed, Aug 12, 2020 at 11:59:04AM +0300, Dan Carpenter wrote:
> Yeah, the patch doesn't work at all.  I looked at one call tree and it
> is:
> 
> hfs_mdb_get() tries to allocate HFS_SB(sb)->ext_tree.
> 
> 	HFS_SB(sb)->ext_tree = hfs_btree_open(sb, HFS_EXT_CNID, hfs_ext_keycmp);
>                     ^^^^^^^^
> 
> hfs_btree_open() calls page = read_mapping_page(mapping, 0, NULL);
> read_mapping_page() calls mapping->a_ops->readpage() which leads to
> hfs_readpage() which leads to hfs_ext_read_extent() which calls
> res = hfs_find_init(HFS_SB(inode->i_sb)->ext_tree, &fd);
>                                          ^^^^^^^^
> 
> So we need ->ext_tree to be non-NULL before we can set ->ext_tree to be
> non-NULL...  :/

For HFS+, the first 8 extents for a file are kept inside its own fork data
structure, not in the extent tree. So, in normal operation, you don't need
to search the extent tree to find the first page of the extent tree itself.
The HFS layout is different, but it should work the same way.

Of course this sort of thing can still be triggered by crafted filesystems.
If that's what the reproducer is about, I think just returning an error is
reasonable. But these modules will never be safe against attacks such as
this.

> I wonder how long this has been broken and if we should just delete the
> AFS file system.
> 
> regards,
> dan carpenter