From nobody Sun Feb  8 04:33:54 2026
Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com
 [209.85.210.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7AB5622F77E
	for <linux-kernel@vger.kernel.org>; Sat, 17 Jan 2026 05:40:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.174
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768628423; cv=none;
 b=ji10n688JJSmAQbBFEYUn+79gpBCeyljIpp1WLkk2IIBH75XgD60F/xhK1zJBb9XMRXBSoC+dwxE/R584IoMTUGApUlcYt0e7Vs4v1p3E0sT+U57JXnLhnMm9zTfyHbMGSDWyq1iQGl2zlUsUjeMcq1a1tnpYqewfGoE0suD3eA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768628423; c=relaxed/simple;
	bh=UwvV0OFMwUAZ7JHTUWJ5fEmS9CVC6RV8ud462zuIVgE=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=GIwjFDbznn0Z4ZUL9eM8SNLoFP4fVqsrcsKqyYjbKMV7yPLl8EJSerjdK0RbSE7qEfFshHoQXWaqEKhZDOWYRE/zmtuNxiG3/OPg0K3CXxcIPup/E0gqmRMPIMavTm5dxb83Rc3QUjGr4+r/IkWYjPGyqfRqM3SlQT3T7CdD5kM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=DXVux/4B; arc=none smtp.client-ip=209.85.210.174
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="DXVux/4B"
Received: by mail-pf1-f174.google.com with SMTP id
 d2e1a72fcca58-81f4ba336b4so2624647b3a.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 16 Jan 2026 21:40:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768628422; x=1769233222;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=jXSiRdJmsqdWXgJBVNgTnJPlXaGuMbmCZogwfvuXOFA=;
        b=DXVux/4BQtY0isUY3Ha/C4nN369Y7tXTldDQCOdpiOtD7zM1jmpoSPZ+d65zYN077w
         VmLTozLsW1lNkIUvx00JBsxIJkj954I7MxE4pjUUiNSA7eR0I/QCeV/X4rB+an/DRF9X
         ECFOx1vc2nFX65r41IZx5YTrxlTrY5I3STUD++Iijtc5B3rasM7dat2C32cjeJI12Pv6
         7O1HfycWX9CC+aGUiGv+dd3FbQggZj5DnJak0p21AIAVbeL7Ad8fOdMOAEJv4XkY7SVO
         sT8vtt1eGwlJ+ljhr1I2x5y4+6okIbBqgsYq4ehOp/aGe3mfiSnH1qqCbUCNAcODVYfk
         Y2mw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768628422; x=1769233222;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=jXSiRdJmsqdWXgJBVNgTnJPlXaGuMbmCZogwfvuXOFA=;
        b=lBUO+PPX9n1vV+Me37JbzNtE0dUmoNzB1RKEZ/G6txOMEUBScz+Fvz3WVdN61Y3cMj
         G2uuxVQOrTFYL2itp5lXSWzRInGVJEb87JzUSCaNpbP2oHJPB1Rja17VbTGOt5eoMGHR
         zGFhnfiHdXjAgA3S6KaV4cLF5NK2i5SfEPfT4EUSuV52weuUfF9JUCes2//8P+0Yyu4K
         UZJEF0+IVvt9nBiurhg2QrPZM47NBqjW8mfoVp7XSDpQuKp1RllcrQvlr+qjFhHNzQ+7
         dUbiZCLbh8HfJ6p006IL/poqXCFnPMQqfErJvIz6QsuIqr0QnS+xrpi+LlKmg2utrAxd
         NHlQ==
X-Gm-Message-State: AOJu0YyGVJJ1fmZMzre/ulK86SURxT/SvzvKxiY95Wa90fdRKm0fEQ2p
	XBOwsQoq/bUVBNJacI9IuYFopJKuescj+17w10T8m+09l8pGmoHXnQk5
X-Gm-Gg: AY/fxX47OBkL9hvLkFO5Jb4M3nyFnCDjSmEoTaIMzPMWDYj5Zz4C77hyNUWS6O9Z7kd
	MfttTAc/g01g/btWh22YzmUCdDqLWbV3861i/GBR2FC1m8u9BnRHmkaxsIBoP/QVuptuDa8Owvc
	HCW3Hp6jiiofZcZC4QE1rmUaPK0GTZjtnlJVz3B7dSaTXHzmaVCpsrE+729tfkGUqTQSWZmI5O3
	NmZyCGqOm5+ML2yB/6SN+U4y7zkfTQjwdjuNia7gXZ+/o9siluKw2KgSxz2a6Xxf87mGtQyq9cM
	sBy4JtkwSpp/QU1PhJQggOQueO1s6ofy/GjTgFA6FSX6Kz2iYUaMjwEnTnzktq2DUiOFs0vjbeY
	Jh2j0THClV7R01RppPTxt0Mo7LDUR1Cx17jnTuoQEytkCJ9OsDgU4dStbw3weekf831wnJI3Ev/
	UvQ1FQwqtEXkSUWvJxS+RLVQDYRWK/2o+UdTDulIwGjFNfo/R6mHhDEryguUyhBO6Fc50=
X-Received: by 2002:a05:6a00:4c86:b0:81f:4063:f1ef with SMTP id
 d2e1a72fcca58-81fa03a1fe2mr5578952b3a.54.1768628421740;
        Fri, 16 Jan 2026 21:40:21 -0800 (PST)
Received: from deepanshu-kernel-hacker..
 ([2405:201:682f:389d:84da:333b:cc85:1610])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-81fa10bdafdsm3439802b3a.15.2026.01.16.21.40.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 16 Jan 2026 21:40:21 -0800 (PST)
From: Deepanshu Kartikey <kartikey406@gmail.com>
To: mikulas@artax.karlin.mff.cuni.cz
Cc: linux-kernel@vger.kernel.org,
	Deepanshu Kartikey <kartikey406@gmail.com>,
	syzbot+8debf4b3f7c7391cd8eb@syzkaller.appspotmail.com
Subject: [PATCH] hpfs: add array bounds validation in hpfs_bplus_lookup
Date: Sat, 17 Jan 2026 11:10:14 +0530
Message-ID: <20260117054014.1252933-1-kartikey406@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

When traversing a corrupted HPFS filesystem, the n_used_nodes field in
the btree header can contain a value larger than what fits in the
allocated buffer. This causes out-of-bounds array access when iterating
through btree->u.internal[] or btree->u.external[] arrays, leading to
a KASAN-detected use-after-free.

Validate that n_used_nodes does not exceed the maximum number of nodes
that can fit in the buffer before accessing the arrays.

Reported-by: syzbot+8debf4b3f7c7391cd8eb@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D8debf4b3f7c7391cd8eb
Tested-by: syzbot+8debf4b3f7c7391cd8eb@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/hpfs/anode.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/fs/hpfs/anode.c b/fs/hpfs/anode.c
index a4f5321eafae..6e1b43f5c9cf 100644
--- a/fs/hpfs/anode.c
+++ b/fs/hpfs/anode.c
@@ -21,6 +22,31 @@ secno hpfs_bplus_lookup(struct super_block *s, struct in=
ode *inode,
 	int c1, c2 =3D 0;
 	go_down:
 	if (hpfs_sb(s)->sb_chk) if (hpfs_stop_cycles(s, a, &c1, &c2, "hpfs_bplus_=
lookup")) return -1;
+
+	if (bp_internal(btree)) {
+		unsigned int max_internal_nodes;
+
+		max_internal_nodes =3D (bh->b_size - ((char *)btree->u.internal - (char =
*)bh->b_data))
+				      / sizeof(btree->u.internal[0]);
+		if (btree->n_used_nodes > max_internal_nodes) {
+			hpfs_error(s, "btree->n_used_nodes =3D %u, but max for internal node is=
 %u",
+				   btree->n_used_nodes, max_internal_nodes);
+			brelse(bh);
+			return -1;
+		}
+	} else {
+		unsigned int max_external_nodes;
+
+		max_external_nodes =3D (bh->b_size - ((char *)btree->u.external - (char =
*)bh->b_data))
+				     / sizeof(btree->u.external[0]);
+		if (btree->n_used_nodes > max_external_nodes) {
+			hpfs_error(s, "btree->n_used_nodes =3D %u, but max for external node is=
 %u",
+				   btree->n_used_nodes, max_external_nodes);
+			brelse(bh);
+			return -1;
+		}
+	}
+
 	if (bp_internal(btree)) {
 		for (i =3D 0; i < btree->n_used_nodes; i++)
 			if (le32_to_cpu(btree->u.internal[i].file_secno) > sec) {
--=20
2.43.0