CVE-2021-46989: hfsplus: prevent corruption in shrinking truncate
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: prevent corruption in shrinking truncate
I believe there are some issues introduced by commit 31651c607151
("hfsplus: avoid deadlock on file truncation")
HFS+ has extent records which always contains 8 extents. In case the
first extent record in catalog file gets full, new ones are allocated from
extents overflow file.
In case shrinking truncate happens to middle of an extent record which
locates in extents overflow file, the logic in hfsplus_file_truncate() was
changed so that call to hfs_brec_remove() is not guarded any more.
Right action would be just freeing the extents that exceed the new size
inside extent record by calling hfsplus_free_extents(), and then check if
the whole extent record should be removed. However since the guard
(blk_cnt > start) is now after the call to hfs_brec_remove(), this has
unfortunate effect that the last matching extent record is removed
unconditionally.
To reproduce this issue, create a file which has at least 10 extents, and
then perform shrinking truncate into middle of the last extent record, so
that the number of remaining extents is not under or divisible by 8. This
causes the last extent record (8 extents) to be removed totally instead of
truncating into middle of it. Thus this causes corruption, and lost data.
Fix for this is simply checking if the new truncated end is below the
start of this extent record, making it safe to remove the full extent
record. However call to hfs_brec_remove() can't be moved to it's previous
place since we're dropping ->tree_lock and it can cause a race condition
and the cached info being invalidated possibly corrupting the node data.
Another issue is related to this one. When entering into the block
(blk_cnt > start) we are not holding the ->tree_lock. We break out from
the loop not holding the lock, but hfs_find_exit() does unlock it. Not
sure if it's possible for someone else to take the lock under our feet,
but it can cause hard to debug errors and premature unlocking. Even if
there's no real risk of it, the locking should still always be kept in
balance. Thus taking the lock now just before the check.
Security readout for executives and security teams
Plain-English summary
CVE-2021-46989 is a Linux kernel HFS+ filesystem bug that can corrupt data during file shrinking. It requires local access and relates to HFS+ extent handling, not remote network exposure. Business impact is mainly data loss or service disruption on systems using HFS+ volumes.
Executive priority
Treat as a targeted operational risk, not an internet-wide emergency. Patch through normal kernel maintenance, faster where HFS+ volumes are writable or operationally important. The main risk is data loss or disruption, not credential theft or remote compromise.
Technical view
The hfsplus truncate path could remove the last matching extent overflow record unconditionally when shrinking into the middle of that record. The issue was introduced after a deadlock fix and can cause filesystem corruption or lost data. The CVSS vector is local, low complexity, low privilege, no user interaction, with high availability impact.
Likely exposure
Exposure is most likely on Linux systems that mount or process HFS+ filesystems and run affected kernel builds in the listed stable ranges. General Linux servers with no HFS+ usage have lower practical exposure, but kernel package status still needs checking.
Exploitation context
The source bundle does not show CISA KEV listing or active exploitation evidence. The described trigger requires local capability to create and truncate files on an HFS+ filesystem with specific extent conditions. No remote exploitation path is supported by the provided sources.
Researcher notes
The core issue is incorrect extent overflow record removal during shrinking truncate plus lock-balance concerns in hfsplus_file_truncate(). Evidence supports local filesystem-triggered corruption. The bundle does not provide exploit-in-the-wild evidence, CWE mapping, or distro-specific fixed package versions.
Mitigation direction
Update Linux kernels to versions carrying the cited stable hfsplus fix commits.
Check Linux distribution advisories for the exact fixed package version in use.
Prioritize systems that mount writable HFS+ volumes or process removable HFS+ media.
Where patching is delayed, reduce writable HFS+ exposure pending vendor guidance.
Maintain backups for systems relying on HFS+ volumes.
Validation and detection
Inventory Linux hosts and kernel versions against affected ranges and vendor advisories.
Identify systems with HFS+ support enabled or HFS+ volumes mounted.
Confirm installed kernel includes one of the referenced stable fixes or vendor backport.
Review logs and storage health for unexplained HFS+ corruption or data loss.
Verify backup coverage before handling important HFS+ volumes.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-46989 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.