CVE-2021-46989: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: hfsplus: prevent corruption in shrinking truncate I believe there are some issues introduced by commit 31651c607151 ("hfsplus: avoid deadlock on file truncation") HFS+ has extent records which always contains 8 extents. In case the first extent record in catalog file gets full, new ones are allocated from extents overflow file. In case shrinking truncate happens to middle of an extent record which locates in extents overflow file, the logic in hfsplus_file_truncate() was changed so that call to hfs_brec_remove() is not guarded any more. Right action would be just freeing the extents that exceed the new size inside extent record by calling hfsplus_free_extents(), and then check if the whole extent record should be removed. However since the guard (blk_cnt > start) is now after the call to hfs_brec_remove(), this has unfortunate effect that the last matching extent record is removed unconditionally. To reproduce this issue, create a file which has at least 10 extents, and then perform shrinking truncate into middle of the last extent record, so that the number of remaining extents is not under or divisible by 8. This causes the last extent record (8 extents) to be removed totally instead of truncating into middle of it. Thus this causes corruption, and lost data. Fix for this is simply checking if the new truncated end is below the start of this extent record, making it safe to remove the full extent record. However call to hfs_brec_remove() can't be moved to it's previous place since we're dropping ->tree_lock and it can cause a race condition and the cached info being invalidated possibly corrupting the node data. Another issue is related to this one. When entering into the block (blk_cnt > start) we are not holding the ->tree_lock. We break out from the loop not holding the lock, but hfs_find_exit() does unlock it. Not sure if it's possible for someone else to take the lock under our feet, but it can cause hard to debug errors and premature unlocking. Even if there's no real risk of it, the locking should still always be kept in balance. Thus taking the lock now just before the check.
AI Analysis
Technical Summary
CVE-2021-46989 is a medium-severity vulnerability affecting the Linux kernel's HFS+ filesystem implementation. The vulnerability arises from a logic error introduced by commit 31651c607151, which aimed to avoid deadlocks during file truncation operations on HFS+ filesystems. HFS+ uses extent records, each containing 8 extents, to track file data allocation. When a file is truncated (shrunk) in the middle of an extent record located in the extents overflow file, the flawed logic in the hfsplus_file_truncate() function causes the last extent record to be removed entirely rather than partially truncated. This occurs because the call to hfs_brec_remove() is no longer properly guarded by a conditional check (blk_cnt > start), leading to unconditional removal of the extent record. The consequence is filesystem corruption and data loss, as extents that should remain are erroneously discarded. Additionally, there is a locking issue where the tree_lock is dropped before certain checks, potentially causing race conditions or premature unlocking, which could lead to further data integrity problems. The vulnerability can be reproduced by creating a file with at least 10 extents and performing a shrinking truncate into the middle of the last extent record, where the number of remaining extents is not divisible by 8. The fix involves reintroducing the conditional check before removing extent records and carefully managing the tree_lock to avoid race conditions. This vulnerability does not affect confidentiality or integrity directly but impacts availability by causing data loss and filesystem corruption. Exploitation requires local privileges (PR:L) and no user interaction, with low attack complexity (AC:L) and local attack vector (AV:L).
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems using the HFS+ filesystem on Linux, which is less common but may exist in environments that interact with macOS-formatted drives or legacy storage devices. The impact is significant in scenarios where critical data resides on HFS+ volumes, as truncation operations could lead to unexpected data loss and filesystem corruption, potentially disrupting business operations and causing downtime. Since exploitation requires local privileges, the threat is more relevant in multi-user systems or environments where attackers can gain limited access. The data loss could affect backup integrity, forensic investigations, or any workflows relying on HFS+ volumes. Organizations with mixed OS environments or those using Linux systems to mount HFS+ drives for data exchange should be particularly vigilant. The medium severity rating reflects the limited attack vector and requirement for local access but acknowledges the high impact on availability and data integrity.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2021-46989 as soon as they become available to ensure the truncation logic and locking mechanisms are corrected. 2. Avoid performing file truncation operations on HFS+ volumes from Linux systems until patched, especially shrinking truncates in the middle of extent records. 3. Implement strict access controls and monitoring on systems that mount HFS+ filesystems to prevent unauthorized local access that could trigger this vulnerability. 4. Regularly back up data stored on HFS+ volumes to mitigate potential data loss from corruption. 5. For environments requiring HFS+ support, consider isolating these volumes or using dedicated systems with limited user access to reduce risk. 6. Monitor kernel updates and security advisories related to filesystem vulnerabilities and test patches in staging environments before deployment. 7. Educate system administrators about the risks of manipulating HFS+ filesystems on Linux and encourage cautious operational procedures.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland
CVE-2021-46989: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: hfsplus: prevent corruption in shrinking truncate I believe there are some issues introduced by commit 31651c607151 ("hfsplus: avoid deadlock on file truncation") HFS+ has extent records which always contains 8 extents. In case the first extent record in catalog file gets full, new ones are allocated from extents overflow file. In case shrinking truncate happens to middle of an extent record which locates in extents overflow file, the logic in hfsplus_file_truncate() was changed so that call to hfs_brec_remove() is not guarded any more. Right action would be just freeing the extents that exceed the new size inside extent record by calling hfsplus_free_extents(), and then check if the whole extent record should be removed. However since the guard (blk_cnt > start) is now after the call to hfs_brec_remove(), this has unfortunate effect that the last matching extent record is removed unconditionally. To reproduce this issue, create a file which has at least 10 extents, and then perform shrinking truncate into middle of the last extent record, so that the number of remaining extents is not under or divisible by 8. This causes the last extent record (8 extents) to be removed totally instead of truncating into middle of it. Thus this causes corruption, and lost data. Fix for this is simply checking if the new truncated end is below the start of this extent record, making it safe to remove the full extent record. However call to hfs_brec_remove() can't be moved to it's previous place since we're dropping ->tree_lock and it can cause a race condition and the cached info being invalidated possibly corrupting the node data. Another issue is related to this one. When entering into the block (blk_cnt > start) we are not holding the ->tree_lock. We break out from the loop not holding the lock, but hfs_find_exit() does unlock it. Not sure if it's possible for someone else to take the lock under our feet, but it can cause hard to debug errors and premature unlocking. Even if there's no real risk of it, the locking should still always be kept in balance. Thus taking the lock now just before the check.
AI-Powered Analysis
Technical Analysis
CVE-2021-46989 is a medium-severity vulnerability affecting the Linux kernel's HFS+ filesystem implementation. The vulnerability arises from a logic error introduced by commit 31651c607151, which aimed to avoid deadlocks during file truncation operations on HFS+ filesystems. HFS+ uses extent records, each containing 8 extents, to track file data allocation. When a file is truncated (shrunk) in the middle of an extent record located in the extents overflow file, the flawed logic in the hfsplus_file_truncate() function causes the last extent record to be removed entirely rather than partially truncated. This occurs because the call to hfs_brec_remove() is no longer properly guarded by a conditional check (blk_cnt > start), leading to unconditional removal of the extent record. The consequence is filesystem corruption and data loss, as extents that should remain are erroneously discarded. Additionally, there is a locking issue where the tree_lock is dropped before certain checks, potentially causing race conditions or premature unlocking, which could lead to further data integrity problems. The vulnerability can be reproduced by creating a file with at least 10 extents and performing a shrinking truncate into the middle of the last extent record, where the number of remaining extents is not divisible by 8. The fix involves reintroducing the conditional check before removing extent records and carefully managing the tree_lock to avoid race conditions. This vulnerability does not affect confidentiality or integrity directly but impacts availability by causing data loss and filesystem corruption. Exploitation requires local privileges (PR:L) and no user interaction, with low attack complexity (AC:L) and local attack vector (AV:L).
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems using the HFS+ filesystem on Linux, which is less common but may exist in environments that interact with macOS-formatted drives or legacy storage devices. The impact is significant in scenarios where critical data resides on HFS+ volumes, as truncation operations could lead to unexpected data loss and filesystem corruption, potentially disrupting business operations and causing downtime. Since exploitation requires local privileges, the threat is more relevant in multi-user systems or environments where attackers can gain limited access. The data loss could affect backup integrity, forensic investigations, or any workflows relying on HFS+ volumes. Organizations with mixed OS environments or those using Linux systems to mount HFS+ drives for data exchange should be particularly vigilant. The medium severity rating reflects the limited attack vector and requirement for local access but acknowledges the high impact on availability and data integrity.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2021-46989 as soon as they become available to ensure the truncation logic and locking mechanisms are corrected. 2. Avoid performing file truncation operations on HFS+ volumes from Linux systems until patched, especially shrinking truncates in the middle of extent records. 3. Implement strict access controls and monitoring on systems that mount HFS+ filesystems to prevent unauthorized local access that could trigger this vulnerability. 4. Regularly back up data stored on HFS+ volumes to mitigate potential data loss from corruption. 5. For environments requiring HFS+ support, consider isolating these volumes or using dedicated systems with limited user access to reduce risk. 6. Monitor kernel updates and security advisories related to filesystem vulnerabilities and test patches in staging environments before deployment. 7. Educate system administrators about the risks of manipulating HFS+ filesystems on Linux and encourage cautious operational procedures.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.948Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe99d4
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 6:44:24 PM
Last updated: 8/12/2025, 12:45:20 PM
Views: 11
Related Threats
CVE-2025-9100: Authentication Bypass by Capture-replay in zhenfeng13 My-Blog
MediumCVE-2025-9099: Unrestricted Upload in Acrel Environmental Monitoring Cloud Platform
MediumCVE-2025-9098: Improper Export of Android Application Components in Elseplus File Recovery App
MediumCVE-2025-31715: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Unisoc (Shanghai) Technologies Co., Ltd. SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152
CriticalCVE-2025-31714: CWE-20 Improper Input Validation in Unisoc (Shanghai) Technologies Co., Ltd. SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.