Users may interact with the filesystem using the standard ioctl interface. HFS+ features an ioctl called F_READBOOTSTRAP that allows unprivileged users to read raw data from an HFS+ filesystem. The ioctl intends to ensure that this data is restricted to the first 1024 bytes, where bootstrap information is stored. However, due to an integer overflow in the code that attempts to enforce this restriction, it is possible for an unprivileged user to use this ioctl to read large portions of filesystem data outside of this byte range, leading to an information disclosure vulnerability.
The vulnerable check reads as follows, in bsd/hfs/hfs_readwrite.c:
if (user_bootstrapp->fbt_offset + user_bootstrapp->fbt_length > 1024)
If a user provides values for the fbt_offset and fbt_length members such that their sum overflows and wraps around to an integer less than 1024, portions of filesystem data outside the intended range will be read and returned to the user.