Debian Bug report logs - #550010
hfsplus corrupts filesystems >2TB

version graph

Package: linux-image-2.6.26-1-amd64; Maintainer for linux-image-2.6.26-1-amd64 is (unknown);

Reported by: Marc Tamsky <[email protected]>

Date: Tue, 6 Oct 2009 23:36:02 UTC

Severity: critical

Found in version linux-2.6/2.6.26-13

Fixed in versions linux-2.6/2.6.31-1~experimental.2, linux-2.6/2.6.26-20

Done: dann frazier <[email protected]>

Bug is archived. No further changes may be made.

Full log

Message #64 received at [email protected] (full text, mbox, reply):

Received: (at 550010) by bugs.debian.org; 11 Oct 2009 07:52:03 +0000
From [email protected] Sun Oct 11 07:52:03 2009
X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02
	(2007-08-08) on rietz.debian.org
X-Spam-Level: 
X-Spam-Bayes: score:0.0000 Tokens: new, 54; hammy, 138; neutral, 47; spammy,
	4. spammytokens:1.000-2--upset, 0.987-1--H*r:8.13.5, 0.987-1--997,
	0.926-+--cases hammytokens:0.000-+--H*UA:sk:x86_64-, 0.000-+--H*UA:GTK,
	0.000-+--H*x:GTK, 0.000-+--H*x:sk:x86_64-, 0.000-+--struct
X-Spam-Status: No, score=-3.6 required=4.0 tests=AWL,BAYES_00,
	MURPHY_DRUGS_REL8,SPF_PASS autolearn=ham
	version=3.2.3-bugs.debian.org_2005_01_02
Return-path: <[email protected]>
Received: from smtp1.linux-foundation.org ([140.211.169.13])
	by rietz.debian.org with esmtp (Exim 4.63)
	(envelope-from <[email protected]>)
	id 1MwtDn-0007l9-6W
	for [email protected]; Sun, 11 Oct 2009 07:52:03 +0000
Received: from imap1.linux-foundation.org (imap1.linux-foundation.org [140.211.169.55])
	by smtp1.linux-foundation.org (8.14.2/8.13.5/Debian-3ubuntu1.1) with ESMTP id n9B7ptr3012215
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sun, 11 Oct 2009 00:51:56 -0700
Received: from y.localdomain (localhost [127.0.0.1])
	by imap1.linux-foundation.org (8.13.5.20060308/8.13.5/Debian-3ubuntu1.1) with SMTP id n9B7prV4018951;
	Sun, 11 Oct 2009 00:51:54 -0700
Date: Sun, 11 Oct 2009 00:51:53 -0700
From: Andrew Morton <[email protected]>
To: Ben Hutchings <[email protected]>
Cc: [email protected], Eric Sesterhenn <[email protected]>,
        Roman
 Zippel <[email protected]>, [email protected]
Subject: Re: [PATCH] hfsplus: Refuse to mount volumes larger than 2TB
Message-Id: <[email protected]>
In-Reply-To: <1255227087.25061.76.camel@localhost>
References: <1254883878.4246.191.camel@localhost>
	<1255227087.25061.76.camel@localhost>
X-Mailer: Sylpheed 2.4.8 (GTK+ 2.12.5; x86_64-redhat-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-MIMEDefang-Filter: lf$Revision: 1.188 $
X-Scanned-By: MIMEDefang 2.63 on 140.211.169.13

On Sun, 11 Oct 2009 03:11:27 +0100 Ben Hutchings <[email protected]> wrote:

> As found in <http://bugs.debian.org/550010>, hfsplus is using type u32
> rather than sector_t for some sector number calculations.
> 
> In particular, hfsplus_get_block() does:
> 
>         u32 ablock, dblock, mask;
> ...
>         map_bh(bh_result, sb, (dblock << HFSPLUS_SB(sb).fs_shift) + HFSPLUS_SB(sb).blockoffset + (iblock & mask));
> 
> I am not confident that I can find and fix all cases where a sector
> number may be truncated.  For now, avoid data loss by refusing to mount
> HFS+ volumes with more than 2^32 sectors (2TB).
> 
> Signed-off-by: Ben Hutchings <[email protected]>
> Cc: [email protected]
> ---
> --- a/fs/hfsplus/wrapper.c
> +++ b/fs/hfsplus/wrapper.c
> @@ -99,6 +99,10 @@
>  
>  	if (hfsplus_get_last_session(sb, &part_start, &part_size))
>  		return -EINVAL;
> +	if (part_start + part_size > 0x100000000) {
> +		pr_err("hfs: volumes larger than 2TB are not supported yet\n");
> +		return -EINVAL;
> +	}

part_start and part_size are sector_t.  This code will do weird overflow
things when sector_t is 32-bit.  Also 32-bit compilers will get upset at the
excessively large hex constant.

This should fix both issues:

--- a/fs/hfsplus/wrapper.c~hfsplus-refuse-to-mount-volumes-larger-than-2tb-fix
+++ a/fs/hfsplus/wrapper.c
@@ -99,7 +99,7 @@ int hfsplus_read_wrapper(struct super_bl
 
 	if (hfsplus_get_last_session(sb, &part_start, &part_size))
 		return -EINVAL;
-	if (part_start + part_size > 0x100000000) {
+	if ((u64)part_start + part_size > 0x100000000ULL) {
 		pr_err("hfs: volumes larger than 2TB are not supported yet\n");
 		return -EINVAL;
 	}
_

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Sat May 10 02:39:23 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.