In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]hfs: fix OOB Read in __hfs_brec_find[EOL][EOL]Syzbot reported a OOB read bug:[EOL][EOL]==================================================================[EOL]BUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x117/0x190[EOL]fs/hfs/string.c:84[EOL]Read of size 1 at addr ffff88807eb62c4e by task kworker/u4:1/11[EOL]CPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted[EOL]6.1.0-rc6-syzkaller-00308-g644e9524388a #0[EOL]Workqueue: writeback wb_workfn (flush-7:0)[EOL]Call Trace:[EOL] <TASK>[EOL] __dump_stack lib/dump_stack.c:88 [inline][EOL] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106[EOL] print_address_description+0x74/0x340 mm/kasan/report.c:284[EOL] print_report+0x107/0x1f0 mm/kasan/report.c:395[EOL] kasan_report+0xcd/0x100 mm/kasan/report.c:495[EOL] hfs_strcmp+0x117/0x190 fs/hfs/string.c:84[EOL] __hfs_brec_find+0x213/0x5c0 fs/hfs/bfind.c:75[EOL] hfs_brec_find+0x276/0x520 fs/hfs/bfind.c:138[EOL] hfs_write_inode+0x34c/0xb40 fs/hfs/inode.c:462[EOL] write_inode fs/fs-writeback.c:1440 [inline][EOL][EOL]If the input inode of hfs_write_inode() is incorrect:[EOL]struct inode[EOL] struct hfs_inode_info[EOL] struct hfs_cat_key[EOL] struct hfs_name[EOL] u8 len # len is greater than HFS_NAMELEN(31) which is the[EOL]maximum length of an HFS filename[EOL][EOL]OOB read occurred:[EOL]hfs_write_inode()[EOL] hfs_brec_find()[EOL] __hfs_brec_find()[EOL] hfs_cat_keycmp()[EOL] hfs_strcmp() # OOB read occurred due to len is too large[EOL][EOL]Fix this by adding a Check on len in hfs_write_inode() before calling[EOL]hfs_brec_find().
