Re: [Bug Report] OOB-read BUG in HFS+ filesystem

[Christian Brauner]

On Mon, Apr 14, 2025 at 06:23:28PM +0200, David Sterba wrote:
> On Mon, Apr 14, 2025 at 03:21:56PM +0100, Matthew Wilcox wrote:
> > On Mon, Apr 14, 2025 at 04:18:27PM +0200, Christian Brauner wrote:
> > > On Mon, Apr 14, 2025 at 09:45:25PM +0800, now4yreal wrote:
> > > > Dear Linux Security Maintainers,
> > > > I would like to report a OOB-read vulnerability in the HFS+ file
> > > > system, which I discovered using our in-house developed kernel fuzzer,
> > > > Symsyz.
> > > 
> > > Bug reports from non-official syzbot instances are generally not
> > > accepted.
> > > 
> > > hfs and hfsplus are orphaned filesystems since at least 2014. Bug
> > > reports for such filesystems won't receive much attention from the core
> > > maintainers.
> > > 
> > > I'm very very close to putting them on the chopping block as they're
> > > slowly turning into pointless burdens.
> > 
> > I've tried asking some people who are long term Apple & Linux people,
> > but haven't been able to find anyone interested in becoming maintainer.
> > Let's drop both hfs & hfsplus.  Ten years of being unmaintained is
> > long enough.
> 
> Agreed. If needed there are FUSE implementations to access .dmg files
> with HFS/HFS+ or other standalone tools.
> 
> https://github.com/0x09/hfsfuse
> https://github.com/darlinghq/darling-dmg

Ok, I'm open to trying. I'm adding a deprecation message when initating
a new hfs{plus} context logged to dmesg and then we can try and remove
it by the end of the year.