From nobody Sat Feb  7 13:05:29 2026
Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com
 [209.85.215.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id ECE57349AF5
	for <linux-kernel@vger.kernel.org>; Tue, 20 Jan 2026 05:11:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768885884; cv=none;
 b=ZD1P28+PTqmUM+NFBUfmdrUi9PnYjCKzKKvykbOlv6RWiYIVLLyDnKvBmllJzC3j1+XBKhTfRfX0qI9VJ3eUBTszcdpIhrwEE3JozpJBqSalC87SHc2lTVR545oV1eFzKtjftHQvSVLUuQG70upg24U2DR2NiartkxoQbLF4qEc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768885884; c=relaxed/simple;
	bh=BVQqtT5e5Nlu7tzj48hWrYh2CC/as4WCfpHt4BWKtvw=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=blhlW6i0SHMDpMaWx0pBiIQM9Lqstjqt0Fi+Ja1sPbkuPcZu863/vkeS0fog9ev/ItLWgxWIjiuP7GwImFYPhDxjk9yyrXWhwOcHZa9qy82oR+2uZI6xTFYGkG8o2jk45aYy5a6I+aTuqBiyF/Cdbo/hWk93kZhj7P4g30WpTZ8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=mAJz3C6C; arc=none smtp.client-ip=209.85.215.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="mAJz3C6C"
Received: by mail-pg1-f179.google.com with SMTP id
 41be03b00d2f7-b6ce6d1d3dcso1783718a12.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 19 Jan 2026 21:11:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768885882; x=1769490682;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=4ko1FzMYx8rXlnRUTJ/8NAkzPJbLlUKQ0Y8GgQDxnTs=;
        b=mAJz3C6CbY+KlEXUGTWJqOrVe6PHus6mO0hFQlO5JNlmMYJJ+t52o0Pwb7ZBMdYShC
         N+/qhlqIpRT59FF94QssgF/cXCFdazY13uQQjXMH/kj3fTtl1ET6lXaSs31wHChZZLi/
         VJ5/V/3n3AwO1Gxq8GWKV97hst2L1lv1Sdr4J9HsY//mpdGRx9l/1wl6tNVRY+JvFZH/
         ASlUTxuV99GW92Zsdc69K8m3Qq/02d4a09Cv0MrCB9p8aK0hSCl0OFh+Cvj/hvEXCrB2
         jk9RM94JyJVVXLgq3C83xyxZmNLYoqbtLhs69PeshTNxmdtE3a6sPiW56c8/S58rKnV9
         EimA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768885882; x=1769490682;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=4ko1FzMYx8rXlnRUTJ/8NAkzPJbLlUKQ0Y8GgQDxnTs=;
        b=vv/kd3fXaFByQkH72Jh27ClonyHL15FEXgd4huATZTUdm/KlZaIvK1tyjhQMdXF/dW
         ogpMP13yxM0cFJIJ4osMnqM6BPxgxZ1r5YgHL/gXiWzb7tCAlxX5gvjKqMO4zlI4J7JP
         sCr3uibImzYyv53XmJDKkmc2WTCB5JHS5c2ahJlRHIoh6qYn+ivqR4kgdUS2T+LaRUe9
         IjM/UCKsiOP1hgfEiVyD6tY476N8CY1bsPHWCWvhUW4BAbt4cEWEOOFS+P8eM5hn+pz1
         iF1IuqqhRdvKifa65j06Pz673NUZZiDugdUtp5/WVgSEInyWjMCQFuJCqWj6Kb7ZemnN
         EZ5Q==
X-Forwarded-Encrypted: i=1;
 AJvYcCX7qxVPxf2QcEjJTbnyJqfC7NEy/6DB8bHB6vH2pXnyWuJ58tqG5ULicRVBT74BxZF0K/kayvNOFzW0Rwo=@vger.kernel.org
X-Gm-Message-State: AOJu0YyCbEoJEvY9hEKJ17h8YqLt2ZMSgPN9Z2alyKiRvbCCGF8slXnr
	k1D0qGbC6NjGQvZdIVpdQ1dUnRqQasNqfA+POnYipnshQ5Ec6HN1t0Vb
X-Gm-Gg: AY/fxX4P7sN8UPpeVPV6yCEwntxdi0fUNDIz26tjnRLhmNbOg1jIgS5MZdR7QKbkSBa
	lqajZl3DKiPzwXuYESeg8C9AonuZLTdahm/dK1A9qWX5snXI8hFrh66wB0ODm4pCCGNUUWy/HrC
	cK1OUngrw8hgNGMSjLrDAaPvXD8ILC4PNF9VZgJP9lSWRoYJFBaDheXzJuUDhKCv/eLtvoFByLS
	YJP6b13dp6NzMqESGHo2RwYGTFR7e/6lpmhYcGuhwHXXJIffKOWobgjXZ4bqDYoZ49SRduRaCgW
	iUSOF7i95IAeaEXSmfUFCVwfKj4mprnzR2a7A55VFS7lMD9m2dbtfktD2jMUypSPONfRoNZt48w
	CE88cO9wtLYYKhiwbWv1gs44GiuVXAT6p8bhRMku4X6MaPHMGqtklu9bELc37b1dPZxicy53un7
	hHL3BcoD5c1sO//6swHFp7LUz2exTXvIfAkV0autsJCGUqfyimCLcp/n+BQWWteIOdojM=
X-Received: by 2002:a05:6a21:168b:b0:361:4ca3:e17d with SMTP id
 adf61e73a8af0-38dfe5902f3mr13465494637.13.1768885882094;
        Mon, 19 Jan 2026 21:11:22 -0800 (PST)
Received: from deepanshu-kernel-hacker..
 ([2405:201:682f:389d:f843:2c12:200a:6bd8])
        by smtp.gmail.com with ESMTPSA id
 41be03b00d2f7-c5edf251a6csm10441925a12.13.2026.01.19.21.11.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Jan 2026 21:11:21 -0800 (PST)
From: Deepanshu Kartikey <kartikey406@gmail.com>
To: slava@dubeyko.com,
	glaubitz@physik.fu-berlin.de,
	frank.li@vivo.com
Cc: linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Deepanshu Kartikey <kartikey406@gmail.com>,
	syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com
Subject: [PATCH] hfsplus: fix uninit-value in hfsplus_strcasecmp
Date: Tue, 20 Jan 2026 10:41:14 +0530
Message-ID: <20260120051114.1281285-1-kartikey406@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp() during
filesystem mount operations. The root cause is that hfsplus_find_cat()
declares a local hfsplus_cat_entry variable without initialization before
passing it to hfs_brec_read().

If hfs_brec_read() doesn't completely fill the entire structure (e.g., when
the on-disk data is shorter than sizeof(hfsplus_cat_entry)), the padding
bytes in tmp.thread.nodeName remain uninitialized. These uninitialized
bytes are then copied by hfsplus_cat_build_key_uni() into the search key,
and subsequently accessed by hfsplus_strcasecmp() during catalog lookups,
triggering the KMSAN warning.

Fix this by zeroing the tmp variable before use to ensure all padding
bytes are initialized.

Reported-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3Dd80abb5b890d39261e72
Tested-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/hfsplus/catalog.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
index 02c1eee4a4b8..9c75d1736427 100644
--- a/fs/hfsplus/catalog.c
+++ b/fs/hfsplus/catalog.c
@@ -199,6 +199,7 @@ int hfsplus_find_cat(struct super_block *sb, u32 cnid,
 	u16 type;
=20
 	hfsplus_cat_build_key_with_cnid(sb, fd->search_key, cnid);
+	memset(&tmp, 0, sizeof(tmp));
 	err =3D hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
 	if (err)
 		return err;
--=20
2.43.0