From nobody Sat Feb 7 18:21:03 2026 Received: from mail-pl1-f194.google.com (mail-pl1-f194.google.com [209.85.214.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2C01226ED3A for ; Mon, 26 Jan 2026 06:22:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.194 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769408547; cv=none; b=qfb2w807AJqpgHaTxrg8N7TVaRJw8Ocrc7AapmBZp326PMfx92oVp8ZMD/1BHyBuCRiuDwqC3m6oX+fLnJFmhIzWGWoBGA6mi+JX0Rpa4kLXhO7bBc/hOe0uP8A5gVh2gvCO84Qv0z96LbbpsX2Ji5f24DvUnIjd+Lkb5Xtk2qU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769408547; c=relaxed/simple; bh=wVcEOabu+MmwmowSbMTRHRC+lG0AOAc8Wi9xyK5hGFI=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=JX/2aCmybSl94aCvIeiWKSOs97yL6N9TTz3IZs5zp+37JTuVzwryhY0dd0IwvFm3ODguWaFUaNbRj4f+oJi/uFia3HFRnVPoneXlp0a3qAZrCOMAhnESSJeMthV8ivvIEQp/VF++Y+ebunO+Q96PHcWW5J2SQ991W2yl5XywlwI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=iIZJLCpi; arc=none smtp.client-ip=209.85.214.194 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iIZJLCpi" Received: by mail-pl1-f194.google.com with SMTP id d9443c01a7336-2a7aa9efc55so30060985ad.1 for ; Sun, 25 Jan 2026 22:22:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769408545; x=1770013345; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VKxqszDPuAvDzbRmbLp7U/ja3AVfp5yy/5Nf+0NiEmo=; b=iIZJLCpis3OgdVXtsBgHi5rnxHixrF/OwbKsdFCjsp+HqUi2oQ9RE/gdVhBgIkB1le +ehYLTuCfVzR3PxlmHStWlsDrKxYvq7pzYZ3aK6V4MrwdgXCUnCskxa4tPiGgd0Kt4X9 BZiSwg2g9Aoh1xCoDWSQTmQr7C1YPSgrOz7Al9ECnEY+sov3M9hvrpn/OLarqHQUBmaZ FubwfAu+W1rO2gjJQNTeYxFZHEAsli14DkrKyAJgBPvpuTx5T8tydBTZztZjSVMBpeFs 7Grk8qNjIxBzx+gCWg1TFef6VUPPWk2gb7CDt+5BnZlBLuX2TQfTJoAQS64EpKFHL84y cuOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769408545; x=1770013345; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=VKxqszDPuAvDzbRmbLp7U/ja3AVfp5yy/5Nf+0NiEmo=; b=UBeurEASNL5Nv663TW7fQNvRR+VrvAtddZUwoW2/MVtR0w2d8+bSPsUl2ygnKiy8gF DE44NXWxrc/WyW1Ra1kJtNr6j52uAffL3BjniMIc5PAhtjQ6kA0BM7HgFfitDMxnrtBl wHM5E1bCnYEl8KcyW5E1aI+FMwJUFbvasb8DvNf2W3g5D2KLA+TW8p/mSir+lKLaz8Ok aaRemxESdtZuH8mFEFSDCGfe9DmUkUoDPr5PmQSQha2pODfpBWFo0TrMu/UE7Ec5wDrx hTLf5RZKXgga8pRgBQXZ+Q5gKjJWg8hZ+fxhLaTREOQleN7HOCI/qGJKxR3QxX+PzC7J b0hA== X-Forwarded-Encrypted: i=1; AJvYcCUWhniM+V66l2jmRQufNaPTsfa0uDY9nMRZTzS3Vx/3YYzCRxZHv+NJm6BvhOvvMaYG8T6t0jmDylSdZ3o=@vger.kernel.org X-Gm-Message-State: AOJu0Yw5D+Fk062HUN1J72d42AcLR3D1COwygOv+k8QF1PUbexfuduQx CpflIdCPDz9oYdT451YXKGEPZ/mMm2fqfPRb1Kemruj8u4eaqGsoDldB X-Gm-Gg: AZuq6aIu5CYZ7GuBiGKhzjOnHpnKiB1qe1D6qkfXLwA0psHdmwqJTWgkLkCBUJJQs/h g+N+nDMpvAGln/bzJcbNkIPDa0q9SGKw9FbeWkvzreGLjBKnNKK0n5sTj483u8wzMkhrU0CGzZb 0tnu60Ei8wSDucDzxR+P5TTg1svhELE3q2qNw9FIq1dOCjP3qnpqZZfklHNWnt+cGVs6N+g6K1C UMSEkJjRh2FOR5r4ViaelCOpG3562rALIzPyOdcJWv6d8r8TKYPbNm6sgPti7tof0FYJFNH+RP4 rcrPTbIFFxQit0edq416rElvhrfYbYBmOeKfXfD8MQD6vxCp0R0SgNnV1UJXnyWc+K4uDOZQme9 /dsSSFWbuezxscGDZvFFB2yd/oHe9SJQjzWJOV9MXtdGbVRrQcu0tDIpPhBeSoB4gI7YllZXaQ4 RXDpatwPFn4e4XZd/LogGTg5CWsLoI8LKxv8o9RUwW7qVlY4Dr X-Received: by 2002:a17:902:e84f:b0:2a2:f0cb:df9e with SMTP id d9443c01a7336-2a84523fb39mr33207305ad.1.1769408545494; Sun, 25 Jan 2026 22:22:25 -0800 (PST) Received: from lima-ubuntu.hz.ali.com ([47.246.98.220]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a802fada7fsm81900965ad.68.2026.01.25.22.22.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 25 Jan 2026 22:22:24 -0800 (PST) From: Qing Wang To: ebiggers@kernel.org Cc: jaegeuk@kernel.org, linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+d130f98b2c265fae5297@syzkaller.appspotmail.com, tytso@mit.edu, wangqing7171@gmail.com Subject: [PATCH v2] fscrypt: Fix uninit-value in ovl_fill_real Date: Mon, 26 Jan 2026 14:22:16 +0800 Message-Id: <20260126062216.496560-1-wangqing7171@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260124182547.GA2762@quark> References: <20260124182547.GA2762@quark> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Syzbot reported a KMSAN uninit-value issue in ovl_fill_real. This iusse's call chain is: __do_sys_getdents64() -> iterate_dir() ... -> ext4_readdir() -> fscrypt_fname_alloc_buffer() // alloc -> fscrypt_fname_disk_to_usr // write without tail '\0' -> dir_emit() -> ovl_fill_real() // read by strcmp() The string is used to store the decrypted directory entry name for an encrypted inode. As shown in the call chain, fscrypt_fname_disk_to_usr() write it wthout null-terminate. However, ovl_fill_real() uses strcmp() to compare the name against "..", which assumes a null-terminated string and may trigger a KMSAN uninit-value warning when the buffer tail contains uninit data. Reported-by: syzbot+d130f98b2c265fae5297@syzkaller.appspotmail.com Fixes: 4edb83bb1041 ("ovl: constant d_ino for non-merge dirs") Closes: https://syzkaller.appspot.com/bug?extid=3Dd130f98b2c265fae5297 Signed-off-by: Qing Wang --- fs/overlayfs/readdir.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c index 160960bb0ad0..e852b38949b6 100644 --- a/fs/overlayfs/readdir.c +++ b/fs/overlayfs/readdir.c @@ -755,7 +755,7 @@ static bool ovl_fill_real(struct dir_context *ctx, cons= t char *name, struct dir_context *orig_ctx =3D rdt->orig_ctx; bool res; =20 - if (rdt->parent_ino && strcmp(name, "..") =3D=3D 0) { + if (rdt->parent_ino && namelen =3D=3D 2 && strncmp(name, "..", namelen) = =3D=3D 0) { ino =3D rdt->parent_ino; } else if (rdt->cache) { struct ovl_cache_entry *p; --=20 2.34.1