From nobody Thu Apr 2 17:44:34 2026 Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AA21F19F12A for ; Thu, 12 Feb 2026 01:12:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770858757; cv=none; b=oZ8N+lqvkfNGyqiIZqkHGR+ys2VGq3O8DLQLiUGelHUZwvwDFMsTy73vTpeH2AYApA1j/EVb0CrH54LnWqHUAly1MOZv15Xgl13ARUo9n48g1aHHHaDyYEIQ4l1h20qvneYe5IxkWiUXcF4qXajWfaSbirjHDkFna8MbBo1D7VM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770858757; c=relaxed/simple; bh=b3k9g+bB9Wus+Vab7BvAAK+pJN41giLc2h4bKR1axJY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ZyCilD09buw6h8GmCXO/mLSXj00qlpUDB5hvu7TkFj3nbr5sE1riBkK0rAt58h6RASbB3J0SaF1SH0wCq32yIN6pKF2ZVUsKiAiMWot5YPn7QUKBFrncfb7zLRU87d8IdmaspnwGpMGU2PHC/qm4V3GE6C9xa3y8fJZ3710h+vI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=WLQFkb2v; arc=none smtp.client-ip=209.85.214.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="WLQFkb2v" Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-2a7d98c1879so41522225ad.3 for ; Wed, 11 Feb 2026 17:12:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770858756; x=1771463556; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=e450Uwa5Agt/WB2SYXKqjVmWpbonMJQ6E2jkPWqLxM8=; b=WLQFkb2vNCSGemwvqgQunGdSAavLEbd9nl3Om/adW7b+eHX/FWOiwgV29tQB3wW3xq SokeUngAS7cDL8H2rNO+EUVDImmCMgCAsGCxUdtR9McJEyhnHMiATe4rbvPeSppHld4l qkeOBqfQuQtISJsz0lmrZdOJ37mWIrufS8ncUfAKklZJlgiW6rsjFtb8nZzgk4A/dkXd Efus+oPj2vbMNdDBbQ1KxGMNwPu1RJRuhidZnjfYGOyIXIxjE+DsmORRxB5W1J522AIN j5PboAvPsRgWXDg/9g29IWiGz3kbn8dA7ppdDWgui5b/bW3JZGkXBazM4WIdia/af45W 3V7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770858756; x=1771463556; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=e450Uwa5Agt/WB2SYXKqjVmWpbonMJQ6E2jkPWqLxM8=; b=rzj8MPaLEqLhOiNJwk2ffLB1JFbGSg1U3nlEiwrpXldbf19Pzbvezl6+BYkusjfHOj v78Gb43Vc7nuMGMD3kvcPKiQ26+q4/B88cBK7zyxtRMJIQxeZYvuQ5IXs7GdQdaLKjnk gW+TiMRcysNfuD624P3dAVOZUHuGNDRkzZq2zrgAifzmjxjWqryZfTLkEh0iAB2itYt/ eW/4YEayqwi8dIFzLDRsYBqygRzU6LD6MPdNU4KaDSWn9MMC4RsrqZp9ByPYy6iYif7n nd6z8wXGfHLeVMTZ8oko718eUDxwlcwHqVANcfGDsVUWLZGK//F+NMMijysarKsYf9OH 8XAA== X-Forwarded-Encrypted: i=1; AJvYcCXjJG58eWI7IkNMM4SajllEhjmPG3XbQNAdQI+hRBYNwUHd6ZHHD+9eJgEoTmPSqzvU79pzOjBgM7yPgv8=@vger.kernel.org X-Gm-Message-State: AOJu0YwFceBG26HRl0iF0VTrr/MS3O1RETQtJz1jOuomvLTWKoO9oy72 bNIP8OF1UV/PHwoneIxxmkeTrGA5/0+PtEFsee3vDf3MNtCL1R4MPdOS X-Gm-Gg: AZuq6aI+MKkQhqcSK1v17trfK/1HrVQ+LlhfZyT9Z/H8wq1T+RA/d5wRJ9aklJ8GtHK b1jcd158cGjpkGhFpwUv7F6sqNQy9rQu8wNGPpP6WeFW5+FqPspT8Hkji566ctkZsR/Mb8j7v1Q HxK1YpmYiF2cW6qNaCQNL2b70FvFD6pA5kYQunIsaLisaWjbbsZKgL6aUt3Wur9aZHLFRPGuodW 8YwnZG0Cx6IcbgsUomev1pGNnwgTdt5bVw1r3plccUlCNCjUrSEu1x4XpEk8FpR1E02RtGK38w8 mCsTYeK3ImAnxe0krYI0T0SKZsYyqTbxm5GPknEMCblxsSCjaj5ubf+E1Qpm9Yy/A0LIdsBRmvj SfjiEnyvcJDH+NV79NKJENMZaNxXzCORMOa6q0ZFCMM5/yaWqd9NPR8Hj2pEIgOYT/RcVaLOjvU 2SFjnTmL09JMjIcXpVGUybVEwRGSQ834h0Trwx2RE504AnHpDCut6TUxL5QkbkPnus+XGq4ruer x9X X-Received: by 2002:a17:903:b84:b0:2a7:c8db:488a with SMTP id d9443c01a7336-2ab3987a8afmr9704685ad.7.1770858755832; Wed, 11 Feb 2026 17:12:35 -0800 (PST) Received: from deepanshu-kernel-hacker.. ([2405:201:682f:389d:e19:3f46:5cc:70f0]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2ab298700a7sm32001845ad.27.2026.02.11.17.12.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Feb 2026 17:12:35 -0800 (PST) From: Deepanshu Kartikey To: slava@dubeyko.com, glaubitz@physik.fu-berlin.de, frank.li@vivo.com Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Deepanshu Kartikey , syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com Subject: [PATCH v3] hfsplus: fix uninit-value by validating catalog record size Date: Thu, 12 Feb 2026 06:42:27 +0530 Message-ID: <20260212011227.65197-1-kartikey406@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read. When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed: HFSPLUS_BREC_READ: rec_len=3D520, fd->entrylength=3D26 HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL R= EAD! hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized. This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold(). Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field: - Fixed size for folder and file records - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed. Reported-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dd80abb5b890d39261e72 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Tested-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/20260120051114.1281285-1-kartikey406@gmai= l.com/T/ [v1] Link: https://lore.kernel.org/all/20260121063109.1830263-1-kartikey406@gmai= l.com/T/ [v2] Signed-off-by: Deepanshu Kartikey --- Changes in v3: - Introduced hfsplus_brec_read_cat() wrapper function for catalog-specific validation instead of modifying generic hfs_brec_read() - Added hfsplus_cat_thread_size() helper to calculate variable-size thread record sizes - Use exact size match (!=3D) instead of minimum size check (<) - Use sizeof(hfsplus_unichr) instead of hardcoded value 2 - Updated all catalog record read sites to use new wrapper function - Addressed review feedback from Viacheslav Dubeyko Changes in v2: - Use structure initialization (=3D {0}) instead of memset() - Improved commit message to clarify how uninitialized data is used --- fs/hfsplus/bfind.c | 59 +++++++++++++++++++++++++++++++++++++++++ fs/hfsplus/catalog.c | 4 +-- fs/hfsplus/dir.c | 2 +- fs/hfsplus/hfsplus_fs.h | 3 +++ fs/hfsplus/super.c | 2 +- 5 files changed, 66 insertions(+), 4 deletions(-) diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c index 9b89dce00ee9..fe75f3f2c17a 100644 --- a/fs/hfsplus/bfind.c +++ b/fs/hfsplus/bfind.c @@ -297,3 +297,62 @@ int hfs_brec_goto(struct hfs_find_data *fd, int cnt) fd->bnode =3D bnode; return res; } + +/** + * hfsplus_cat_thread_size - calculate expected size of a catalog thread r= ecord + * @thread: pointer to the thread record + * + * Returns the expected size based on the string length + */ +u32 hfsplus_cat_thread_size(const struct hfsplus_cat_thread *thread) +{ + return offsetof(struct hfsplus_cat_thread, nodeName) + + offsetof(struct hfsplus_unistr, unicode) + + be16_to_cpu(thread->nodeName.length) * sizeof(hfsplus_unichr); +} + +/** + * hfsplus_brec_read_cat - read and validate a catalog record + * @fd: find data structure + * @entry: pointer to catalog entry to read into + * + * Reads a catalog record and validates its size matches the expected + * size based on the record type. + * + * Returns 0 on success, or negative error code on failure. + */ +int hfsplus_brec_read_cat(struct hfs_find_data *fd, hfsplus_cat_entry *ent= ry) +{ + int res; + u32 expected_size; + + res =3D hfs_brec_read(fd, entry, sizeof(hfsplus_cat_entry)); + if (res) + return res; + + /* Validate catalog record size based on type */ + switch (be16_to_cpu(entry->type)) { + case HFSPLUS_FOLDER: + expected_size =3D sizeof(struct hfsplus_cat_folder); + break; + case HFSPLUS_FILE: + expected_size =3D sizeof(struct hfsplus_cat_file); + break; + case HFSPLUS_FOLDER_THREAD: + case HFSPLUS_FILE_THREAD: + expected_size =3D hfsplus_cat_thread_size(&entry->thread); + break; + default: + pr_err("unknown catalog record type %d\n", + be16_to_cpu(entry->type)); + return -EIO; + } + + if (fd->entrylength !=3D expected_size) { + pr_err("catalog record size mismatch (type %d, got %u, expected %u)\n", + be16_to_cpu(entry->type), fd->entrylength, expected_size); + return -EIO; + } + + return 0; +} diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c index 02c1eee4a4b8..6c8380f7208d 100644 --- a/fs/hfsplus/catalog.c +++ b/fs/hfsplus/catalog.c @@ -194,12 +194,12 @@ static int hfsplus_fill_cat_thread(struct super_block= *sb, int hfsplus_find_cat(struct super_block *sb, u32 cnid, struct hfs_find_data *fd) { - hfsplus_cat_entry tmp; + hfsplus_cat_entry tmp =3D {0}; int err; u16 type; =20 hfsplus_cat_build_key_with_cnid(sb, fd->search_key, cnid); - err =3D hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry)); + err =3D hfsplus_brec_read_cat(fd, &tmp); if (err) return err; =20 diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c index cadf0b5f9342..d86e2f7b289c 100644 --- a/fs/hfsplus/dir.c +++ b/fs/hfsplus/dir.c @@ -49,7 +49,7 @@ static struct dentry *hfsplus_lookup(struct inode *dir, s= truct dentry *dentry, if (unlikely(err < 0)) goto fail; again: - err =3D hfs_brec_read(&fd, &entry, sizeof(entry)); + err =3D hfsplus_brec_read_cat(&fd, &entry); if (err) { if (err =3D=3D -ENOENT) { hfs_find_exit(&fd); diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h index 45fe3a12ecba..5efb5d176cd9 100644 --- a/fs/hfsplus/hfsplus_fs.h +++ b/fs/hfsplus/hfsplus_fs.h @@ -506,6 +506,9 @@ int hfsplus_submit_bio(struct super_block *sb, sector_t= sector, void *buf, void **data, blk_opf_t opf); int hfsplus_read_wrapper(struct super_block *sb); =20 +u32 hfsplus_cat_thread_size(const struct hfsplus_cat_thread *thread); +int hfsplus_brec_read_cat(struct hfs_find_data *fd, hfsplus_cat_entry *ent= ry); + /* * time helpers: convert between 1904-base and 1970-base timestamps * diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c index aaffa9e060a0..e59611a664ef 100644 --- a/fs/hfsplus/super.c +++ b/fs/hfsplus/super.c @@ -567,7 +567,7 @@ static int hfsplus_fill_super(struct super_block *sb, s= truct fs_context *fc) err =3D hfsplus_cat_build_key(sb, fd.search_key, HFSPLUS_ROOT_CNID, &str); if (unlikely(err < 0)) goto out_put_root; - if (!hfs_brec_read(&fd, &entry, sizeof(entry))) { + if (!hfsplus_brec_read_cat(&fd, &entry)) { hfs_find_exit(&fd); if (entry.type !=3D cpu_to_be16(HFSPLUS_FOLDER)) { err =3D -EIO; --=20 2.43.0