[SRU][F][PATCH 1/2] Revert "UBUNTU: SAUCE: fs: hfs/hfsplus: add key_len boundary check to hfs_bnode_read_key"

Cengiz Can cengiz.can at canonical.com
Thu May 22 22:58:36 UTC 2025 

This reverts commit 790d07a205cfd153e9a722b7d4e3076c5ccfbbb7.

CVE-2025-37782

Signed-off-by: Cengiz Can <cengiz.can at canonical.com>
---
 fs/hfs/bnode.c          |  8 +-------
 fs/hfs/brec.c           | 21 ++++-----------------
 fs/hfs/btree.h          |  2 +-
 fs/hfsplus/bnode.c      |  8 +-------
 fs/hfsplus/brec.c       | 21 ++++-----------------
 fs/hfsplus/hfsplus_fs.h |  2 +-
 6 files changed, 12 insertions(+), 50 deletions(-)

diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
index 9294a1d4522f..397e02a56697 100644
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -58,7 +58,7 @@ u8 hfs_bnode_read_u8(struct hfs_bnode *node, int off)
 	return data;
 }
 
-int hfs_bnode_read_key(struct hfs_bnode *node, void *key, int off)
+void hfs_bnode_read_key(struct hfs_bnode *node, void *key, int off)
 {
 	struct hfs_btree *tree;
 	int key_len;
@@ -70,13 +70,7 @@ int hfs_bnode_read_key(struct hfs_bnode *node, void *key, int off)
 	else
 		key_len = tree->max_key_len + 1;
 
-	if (key_len > tree->max_key_len + 1) {
-		pr_err("key_len %d too large\n", key_len);
-		return -EINVAL;
-	}
-
 	hfs_bnode_read(node, key, off, key_len);
-	return 0;
 }
 
 void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len)
diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c
index b3eed02f8679..896396554bcc 100644
--- a/fs/hfs/brec.c
+++ b/fs/hfs/brec.c
@@ -70,7 +70,6 @@ int hfs_brec_insert(struct hfs_find_data *fd, void *entry, int entry_len)
 	int data_off, end_off;
 	int idx_rec_off, data_rec_off, end_rec_off;
 	__be32 cnid;
-	int res;
 
 	tree = fd->tree;
 	if (!fd->bnode) {
@@ -139,10 +138,7 @@ int hfs_brec_insert(struct hfs_find_data *fd, void *entry, int entry_len)
 	 * at the start of the node and it is not the new node
 	 */
 	if (!rec && new_node != node) {
-		res = hfs_bnode_read_key(node, fd->search_key, data_off + size);
-		if (res < 0)
-			return res;
-
+		hfs_bnode_read_key(node, fd->search_key, data_off + size);
 		hfs_brec_update_parent(fd);
 	}
 
@@ -160,10 +156,7 @@ int hfs_brec_insert(struct hfs_find_data *fd, void *entry, int entry_len)
 		entry_len = sizeof(cnid);
 
 		/* get index key */
-		res = hfs_bnode_read_key(new_node, fd->search_key, 14);
-		if (res < 0)
-			return res;
-
+		hfs_bnode_read_key(new_node, fd->search_key, 14);
 		__hfs_brec_find(fd->bnode, fd);
 
 		hfs_bnode_put(new_node);
@@ -363,7 +356,6 @@ static int hfs_brec_update_parent(struct hfs_find_data *fd)
 	int newkeylen, diff;
 	int rec, rec_off, end_rec_off;
 	int start_off, end_off;
-	int res;
 
 	tree = fd->tree;
 	node = fd->bnode;
@@ -439,10 +431,7 @@ static int hfs_brec_update_parent(struct hfs_find_data *fd)
 		}
 		fd->bnode = hfs_bnode_find(tree, new_node->parent);
 		/* create index key and entry */
-		res = hfs_bnode_read_key(new_node, fd->search_key, 14);
-		if (res < 0)
-			return res;
-
+		hfs_bnode_read_key(new_node, fd->search_key, 14);
 		cnid = cpu_to_be32(new_node->this);
 
 		__hfs_brec_find(fd->bnode, fd);
@@ -454,9 +443,7 @@ static int hfs_brec_update_parent(struct hfs_find_data *fd)
 			if (new_node == node)
 				goto out;
 			/* restore search_key */
-			res = hfs_bnode_read_key(node, fd->search_key, 14);
-			if (res < 0)
-				return res;
+			hfs_bnode_read_key(node, fd->search_key, 14);
 		}
 		new_node = NULL;
 	}
diff --git a/fs/hfs/btree.h b/fs/hfs/btree.h
index 1720232abe8a..25ac9a8bb57a 100644
--- a/fs/hfs/btree.h
+++ b/fs/hfs/btree.h
@@ -97,7 +97,7 @@ extern void hfs_bmap_free(struct hfs_bnode *node);
 extern void hfs_bnode_read(struct hfs_bnode *, void *, int, int);
 extern u16 hfs_bnode_read_u16(struct hfs_bnode *, int);
 extern u8 hfs_bnode_read_u8(struct hfs_bnode *, int);
-extern int hfs_bnode_read_key(struct hfs_bnode *, void *, int);
+extern void hfs_bnode_read_key(struct hfs_bnode *, void *, int);
 extern void hfs_bnode_write(struct hfs_bnode *, void *, int, int);
 extern void hfs_bnode_write_u16(struct hfs_bnode *, int, u16);
 extern void hfs_bnode_write_u8(struct hfs_bnode *, int, u8);
diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index 3e4fc58f0df3..177fae4e6581 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -56,7 +56,7 @@ u8 hfs_bnode_read_u8(struct hfs_bnode *node, int off)
 	return data;
 }
 
-int hfs_bnode_read_key(struct hfs_bnode *node, void *key, int off)
+void hfs_bnode_read_key(struct hfs_bnode *node, void *key, int off)
 {
 	struct hfs_btree *tree;
 	int key_len;
@@ -69,13 +69,7 @@ int hfs_bnode_read_key(struct hfs_bnode *node, void *key, int off)
 	else
 		key_len = tree->max_key_len + 2;
 
-	if (key_len > tree->max_key_len + 2) {
-		pr_err("key_len %d too large\n", key_len);
-		return -EINVAL;
-	}
-
 	hfs_bnode_read(node, key, off, key_len);
-	return 0;
 }
 
 void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len)
diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c
index 4db1fd0cf5e9..1918544a7871 100644
--- a/fs/hfsplus/brec.c
+++ b/fs/hfsplus/brec.c
@@ -68,7 +68,6 @@ int hfs_brec_insert(struct hfs_find_data *fd, void *entry, int entry_len)
 	int data_off, end_off;
 	int idx_rec_off, data_rec_off, end_rec_off;
 	__be32 cnid;
-	int res;
 
 	tree = fd->tree;
 	if (!fd->bnode) {
@@ -139,10 +138,7 @@ int hfs_brec_insert(struct hfs_find_data *fd, void *entry, int entry_len)
 	 * at the start of the node and it is not the new node
 	 */
 	if (!rec && new_node != node) {
-		res = hfs_bnode_read_key(node, fd->search_key, data_off + size);
-		if (res < 0)
-			return res;
-
+		hfs_bnode_read_key(node, fd->search_key, data_off + size);
 		hfs_brec_update_parent(fd);
 	}
 
@@ -160,10 +156,7 @@ int hfs_brec_insert(struct hfs_find_data *fd, void *entry, int entry_len)
 		entry_len = sizeof(cnid);
 
 		/* get index key */
-		res = hfs_bnode_read_key(new_node, fd->search_key, 14);
-		if (res < 0)
-			return res;
-
+		hfs_bnode_read_key(new_node, fd->search_key, 14);
 		__hfs_brec_find(fd->bnode, fd, hfs_find_rec_by_key);
 
 		hfs_bnode_put(new_node);
@@ -367,7 +360,6 @@ static int hfs_brec_update_parent(struct hfs_find_data *fd)
 	int newkeylen, diff;
 	int rec, rec_off, end_rec_off;
 	int start_off, end_off;
-	int res;
 
 	tree = fd->tree;
 	node = fd->bnode;
@@ -443,10 +435,7 @@ static int hfs_brec_update_parent(struct hfs_find_data *fd)
 		}
 		fd->bnode = hfs_bnode_find(tree, new_node->parent);
 		/* create index key and entry */
-		res = hfs_bnode_read_key(new_node, fd->search_key, 14);
-		if (res < 0)
-			return res;
-
+		hfs_bnode_read_key(new_node, fd->search_key, 14);
 		cnid = cpu_to_be32(new_node->this);
 
 		__hfs_brec_find(fd->bnode, fd, hfs_find_rec_by_key);
@@ -458,9 +447,7 @@ static int hfs_brec_update_parent(struct hfs_find_data *fd)
 			if (new_node == node)
 				goto out;
 			/* restore search_key */
-			res = hfs_bnode_read_key(node, fd->search_key, 14);
-			if (res < 0)
-				return res;
+			hfs_bnode_read_key(node, fd->search_key, 14);
 		}
 		new_node = NULL;
 	}
diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
index ed8289a514d6..86cfc147bf3d 100644
--- a/fs/hfsplus/hfsplus_fs.h
+++ b/fs/hfsplus/hfsplus_fs.h
@@ -407,7 +407,7 @@ void hfs_bmap_free(struct hfs_bnode *node);
 void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len);
 u16 hfs_bnode_read_u16(struct hfs_bnode *node, int off);
 u8 hfs_bnode_read_u8(struct hfs_bnode *node, int off);
-int hfs_bnode_read_key(struct hfs_bnode *node, void *key, int off);
+void hfs_bnode_read_key(struct hfs_bnode *node, void *key, int off);
 void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len);
 void hfs_bnode_write_u16(struct hfs_bnode *node, int off, u16 data);
 void hfs_bnode_clear(struct hfs_bnode *node, int off, int len);
-- 
2.43.0

More information about the kernel-team mailing list