From nobody Thu Apr 2 22:24:09 2026 Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BAC141B81D3 for ; Sat, 14 Feb 2026 00:21:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771028469; cv=none; b=K9cJy7y8pRHw4ug4IKWdQKQJjjDcYFvfoMYdj+omey39YcsWlj/EmkkggEXLsAS5zJpWapRsiiH+KGpixAXgr9w/T4lpvAJWdhB87BwoZTlPYcZNqS442BjYHX9VkiQFcj+4kks8O10ct+wxGRnZVO11OB622+TQnil96Iv+LOo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771028469; c=relaxed/simple; bh=D/YVepfgYii6qyyBIbfxram3tBNT+IdUmevLkyoV5xE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=q8HOeKLipcESfQ2HWItCuShVmnTRcC2q/PkGsWGboBO8eLL7/phMkASSHppXPWs2ZHre2XjYp0VyD+xbslMZo2z8c8W5ZKgo/HrjwGejPI/l2DtLtz/1d5YpQtbpv0VjK2F4J1wdFvcMBFd9JmzkfhGYugCWn+FiFf/iEfv+vCA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kg8ptU+m; arc=none smtp.client-ip=209.85.210.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kg8ptU+m" Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-824a829f9bbso836018b3a.0 for ; Fri, 13 Feb 2026 16:21:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771028467; x=1771633267; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=2yP///Lg/wvpY4O1JL+tfaO/XX+i+pY6F/SFRRuJOIU=; b=kg8ptU+mZSo9bPPJPzBkMz9J/l92LneK0aB58/rR2q//xZc/0lbX4RAbSaH5Z7FSFR v5RNcE+CW7vbbyKtrFU9laI2/vL3F5tQHRAbHUUfJrGKyAlb8Oxw6ZCLgPKx9Cidta21 hHx/IDE1mMeqWjkh4VSNGFux+uc0OsL3nabfTzSQQMOlWh6gtlzDuRav3kv+nubniDdn D9aJtpChjdF8qAMS0hmzkc2Mh+eZAtbwohEDi0kLKWJ08UfvKU+TeM1sTXMK2xy7WOKS tpigsjy6xOcrKB5bRkW96zQrJ67j+UsQnxzdW/iQgWrVzrJFyeOB5z+mk+jn1JEvPRFE uUHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771028467; x=1771633267; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=2yP///Lg/wvpY4O1JL+tfaO/XX+i+pY6F/SFRRuJOIU=; b=uVO0EiX9W8Hu0ZxktYD+xXB/VGGwtOGoNyDVB6Xg3tpsb1W2w3P3jXAKB/uEsQPMFe JDczpEYQDILHpwB9zJKT9xmuLy1syQq5V1SzG0soYOFecboLxZ9kydomcTp9J0yqdt9A 9ROt2lcUckQfifQocpmnXqQtYMXWiAcKWKkJRqMb8C43MqEgb5riks4/n7dOxsscV4qO dMv1Nue4+10uD885xpznwB9YPAcZaShJ+AlIHkPj9GwvFOgl3W5ExP9zH10JqCfCN/12 mAlaeFGNc6zD+eSNmpqS+o8Y5U3pKub8qcHktGxMuafeVWe8fU0oafiNCBrxjm6J4yPa gJqQ== X-Forwarded-Encrypted: i=1; AJvYcCVCl17vQR3Hzz07BmA5FLvfrgPmazMIU1xh0UK5EhGRmaP0qyHxVms0U1jkWrOlnuIRzm4G+3U+gFSkvWM=@vger.kernel.org X-Gm-Message-State: AOJu0YyQAl6HHW4YHBRWDfW6mbQ0HBPmsCrk0gl4IU+wqBz9O3hRBXs5 NfUceOtmLyu+QfS5Sx1RfOX4QSXRfHiepwD57kSnhlIuAAD9soA1z/hC X-Gm-Gg: AZuq6aK0jemR6mJFezyT9Wd6yxMsjKvxVYOWF1Ee4UFiasX/uAXvFYu7JGg3mfKcJGU E+V/WshZjYl1Uh2C0qFM8r26y8+WBDiG2IKTxqv/jrYGnGEeZw4O9ilN3i7Lx74ZKPoFDCd6mWJ tojCwiKPAiMlYfbcIDHPPdX0ZZZdDF2LfBtcuaqAoXbaut7bpk0tbQO28BY3M3kapgYw2wl3uwg ZbrtUntpDqRBGoyakAFyqPKFOW0m1cSc6+zuu5NHVsWwcyCCDaKa+rN+Ak2Wvr0mVFs2/PuB44n c3fZ2+H2mmVY/R9XwYjoYGWH1zYenaacZx0MRCCFYj1ehKkhqS53bTogFI9ql8k6Ah5owodBzSZ eu5bHh9VU6gBRbvBguDHiK70l7Xx+OQ9UV1LWrcYFlH0AX9bI35ZiFJ5r5wOHP0EufoG+iyzSeL 5K+X573rUqaUfuoybqKAts5kPuIdvXLzKVJiTtW1p8gQMXQsffwSny0VFH85wVbhXZQ8w6WjOxM TDK7n2wICbPA8kQ X-Received: by 2002:a05:6a00:4f8f:b0:81f:46ba:1817 with SMTP id d2e1a72fcca58-824c964a386mr3440393b3a.66.1771028466970; Fri, 13 Feb 2026 16:21:06 -0800 (PST) Received: from deepanshu-kernel-hacker.. ([2405:201:682f:389d:1ca3:229:a9f4:8c87]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-824c6a3e150sm4008462b3a.15.2026.02.13.16.21.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Feb 2026 16:21:06 -0800 (PST) From: Deepanshu Kartikey To: slava@dubeyko.com, glaubitz@physik.fu-berlin.de, frank.li@vivo.com Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Deepanshu Kartikey , syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com Subject: [PATCH v4] hfsplus: fix uninit-value by validating catalog record size Date: Sat, 14 Feb 2026 05:51:00 +0530 Message-ID: <20260214002100.436125-1-kartikey406@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read. When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed: HFSPLUS_BREC_READ: rec_len=3D520, fd->entrylength=3D26 HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL R= EAD! hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized. This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold(). Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field: - Fixed size for folder and file records - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed. Reported-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dd80abb5b890d39261e72 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Tested-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/20260120051114.1281285-1-kartikey406@gmai= l.com/ [v1] Link: https://lore.kernel.org/all/20260121063109.1830263-1-kartikey406@gmai= l.com/ [v2] Link: https://lore.kernel.org/all/20260212014233.2422046-1-kartikey406@gmai= l.com/ [v3] Signed-off-by: Deepanshu Kartikey Reviewed-by: Viacheslav Dubeyko Tested-by: Viacheslav Dubeyko --- Changes in v4: - Move hfsplus_cat_thread_size() as static inline to header file as suggested by Viacheslav Dubeyko Changes in v3: - Introduced hfsplus_brec_read_cat() wrapper function for catalog-specific validation instead of modifying generic hfs_brec_read() - Added hfsplus_cat_thread_size() helper to calculate variable-size thread record sizes - Use exact size match (!=3D) instead of minimum size check (<) - Use sizeof(hfsplus_unichr) instead of hardcoded value 2 - Updated all catalog record read sites to use new wrapper function - Addressed review feedback from Viacheslav Dubeyko Changes in v2: - Use structure initialization (=3D {0}) instead of memset() - Improved commit message to clarify how uninitialized data is used --- fs/hfsplus/bfind.c | 46 +++++++++++++++++++++++++++++++++++++++++ fs/hfsplus/catalog.c | 4 ++-- fs/hfsplus/dir.c | 2 +- fs/hfsplus/hfsplus_fs.h | 9 ++++++++ fs/hfsplus/super.c | 2 +- 5 files changed, 59 insertions(+), 4 deletions(-) diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c index 9b89dce00ee9..4c5fd21585ef 100644 --- a/fs/hfsplus/bfind.c +++ b/fs/hfsplus/bfind.c @@ -297,3 +297,49 @@ int hfs_brec_goto(struct hfs_find_data *fd, int cnt) fd->bnode =3D bnode; return res; } + +/** + * hfsplus_brec_read_cat - read and validate a catalog record + * @fd: find data structure + * @entry: pointer to catalog entry to read into + * + * Reads a catalog record and validates its size matches the expected + * size based on the record type. + * + * Returns 0 on success, or negative error code on failure. + */ +int hfsplus_brec_read_cat(struct hfs_find_data *fd, hfsplus_cat_entry *ent= ry) +{ + int res; + u32 expected_size; + + res =3D hfs_brec_read(fd, entry, sizeof(hfsplus_cat_entry)); + if (res) + return res; + + /* Validate catalog record size based on type */ + switch (be16_to_cpu(entry->type)) { + case HFSPLUS_FOLDER: + expected_size =3D sizeof(struct hfsplus_cat_folder); + break; + case HFSPLUS_FILE: + expected_size =3D sizeof(struct hfsplus_cat_file); + break; + case HFSPLUS_FOLDER_THREAD: + case HFSPLUS_FILE_THREAD: + expected_size =3D hfsplus_cat_thread_size(&entry->thread); + break; + default: + pr_err("unknown catalog record type %d\n", + be16_to_cpu(entry->type)); + return -EIO; + } + + if (fd->entrylength !=3D expected_size) { + pr_err("catalog record size mismatch (type %d, got %u, expected %u)\n", + be16_to_cpu(entry->type), fd->entrylength, expected_size); + return -EIO; + } + + return 0; +} diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c index 02c1eee4a4b8..6c8380f7208d 100644 --- a/fs/hfsplus/catalog.c +++ b/fs/hfsplus/catalog.c @@ -194,12 +194,12 @@ static int hfsplus_fill_cat_thread(struct super_block= *sb, int hfsplus_find_cat(struct super_block *sb, u32 cnid, struct hfs_find_data *fd) { - hfsplus_cat_entry tmp; + hfsplus_cat_entry tmp =3D {0}; int err; u16 type; =20 hfsplus_cat_build_key_with_cnid(sb, fd->search_key, cnid); - err =3D hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry)); + err =3D hfsplus_brec_read_cat(fd, &tmp); if (err) return err; =20 diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c index cadf0b5f9342..d86e2f7b289c 100644 --- a/fs/hfsplus/dir.c +++ b/fs/hfsplus/dir.c @@ -49,7 +49,7 @@ static struct dentry *hfsplus_lookup(struct inode *dir, s= truct dentry *dentry, if (unlikely(err < 0)) goto fail; again: - err =3D hfs_brec_read(&fd, &entry, sizeof(entry)); + err =3D hfsplus_brec_read_cat(&fd, &entry); if (err) { if (err =3D=3D -ENOENT) { hfs_find_exit(&fd); diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h index 45fe3a12ecba..e811d33861af 100644 --- a/fs/hfsplus/hfsplus_fs.h +++ b/fs/hfsplus/hfsplus_fs.h @@ -506,6 +506,15 @@ int hfsplus_submit_bio(struct super_block *sb, sector_= t sector, void *buf, void **data, blk_opf_t opf); int hfsplus_read_wrapper(struct super_block *sb); =20 +static inline u32 hfsplus_cat_thread_size(const struct hfsplus_cat_thread = *thread) +{ + return offsetof(struct hfsplus_cat_thread, nodeName) + + offsetof(struct hfsplus_unistr, unicode) + + be16_to_cpu(thread->nodeName.length) * sizeof(hfsplus_unichr); +} + +int hfsplus_brec_read_cat(struct hfs_find_data *fd, hfsplus_cat_entry *ent= ry); + /* * time helpers: convert between 1904-base and 1970-base timestamps * diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c index aaffa9e060a0..e59611a664ef 100644 --- a/fs/hfsplus/super.c +++ b/fs/hfsplus/super.c @@ -567,7 +567,7 @@ static int hfsplus_fill_super(struct super_block *sb, s= truct fs_context *fc) err =3D hfsplus_cat_build_key(sb, fd.search_key, HFSPLUS_ROOT_CNID, &str); if (unlikely(err < 0)) goto out_put_root; - if (!hfs_brec_read(&fd, &entry, sizeof(entry))) { + if (!hfsplus_brec_read_cat(&fd, &entry)) { hfs_find_exit(&fd); if (entry.type !=3D cpu_to_be16(HFSPLUS_FOLDER)) { err =3D -EIO; --=20 2.43.0