From nobody Sat Feb 7 21:15:42 2026 Received: from mail-ot1-f71.google.com (mail-ot1-f71.google.com [209.85.210.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0FD321F0991 for ; Sat, 17 Jan 2026 02:32:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.71 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768617145; cv=none; b=hv49S9AFjY9kQiXL+rQGXc7JtqDQp8SoDJs6B3zNjBHVOJFXvL3gUEZWnaqLp626APnaV7uIQhQQqgB9eqf1tzFkuAqKaf5pSwS72hlpg4NYYI2NRVfcQKiaB72eOiL6qrTIqJGiyn5PHWptP+SS00S87MajZdvfBfJiFUftfnw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768617145; c=relaxed/simple; bh=Ej/9CBNRssPmpKhJQwCJl2M3Wk3Ga2rfh8WZawEcdsw=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=ZQVq86vbM2RFv0TRuRgIM8lJ6r+YfjMjYMJ6PR5lyIpdsyW5/m+1eL6HMXTYoQocL36hyrYXBcE50b4uMWZGqalkg2v4VVnpZscyl6RNZJbsBP53W2d3n4oV8xGMDstlPZJmQZsFqOEb4RMLjKvgwdrbscuwgHNZRkge3/sqPmo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.210.71 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-ot1-f71.google.com with SMTP id 46e09a7af769-7cfd1080f66so1016342a34.2 for ; Fri, 16 Jan 2026 18:32:23 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768617143; x=1769221943; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=iA6bAcqx5EmaO97qRZ7KR3MWQnqMdS5TAf041mzEjvY=; b=sfUyUwEdJqCfuo04MmnsIaGiv1+kRDVsmHuIEC0QtLEF10rg/inZtIh1y8+oOnPWa/ KvHGf3M3Cyw8MsAyB+7usUxBS5RNzCVtpzdKT/omySgZtnI6UvkyAcvJUErTLzbi8U2c bkBcEoMN1xkiE/aQ3tPkV3HKWsoV3UG614x1sXf8KYajZjoaotPFBcGIlJpbYwhMCyxr XZbElExc6+b/u4Z/JczA3i5rtMOjJYkFyQHoP3pZH4sVpOLI2jWH9nQY3VL8e1J/VpcV GwT+BXVdICYSIhbL/dUMDa7if4lI2WN27SjtvbQ0TofW10I6rooXoBHbKucFgXNcxFtA s8HA== X-Gm-Message-State: AOJu0Yxst6JGGVdEUMgfzWFWU2py190pQjDcowAt9VOAiCG38p+6+BoX UMUJba67aKq5lmvj7UA1BgpUznn8ADUSc3ansX8qHO0iXgJAVdE3VW/BStvFDwDV/gKA0oWyDLU 7YS3ull4Tt/YqfQ56OWxuuOHW4naM5iSwYWEzB+/62mlO/L0KdL9bq+gWfEQ= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:4687:b0:65d:e1a:a8f6 with SMTP id 006d021491bc7-6611797e820mr1896507eaf.25.1768617142917; Fri, 16 Jan 2026 18:32:22 -0800 (PST) Date: Fri, 16 Jan 2026 18:32:22 -0800 In-Reply-To: <696aa7da.a70a0220.31956c.001a.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <696af4b6.050a0220.3390f1.0001.GAE@google.com> Subject: Forwarded: [PATCH] hpfs: add buffer bounds validation in hpfs_bplus_lookup From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] hpfs: add buffer bounds validation in hpfs_bplus_lookup Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git= master When traversing the B+ tree in a corrupted HPFS filesystem, the btree pointer obtained from GET_BTREE_PTR() may point outside the mapped buffer's bounds if the on-disk data structures are malformed. This leads to a use-after-free when accessing btree->u.external[i] as the memory may have been freed and reallocated. Additionally, a corrupted n_used_nodes value can cause out-of-bounds array access when iterating through btree->u.internal[] or btree->u.external[] arrays. Add validation to ensure: 1. The btree pointer stays within the mapped buffer boundaries 2. The n_used_nodes value is within reasonable limits This prevents KASAN-detected use-after-free when processing malicious HPFS filesystem images. Reported-by: syzbot+8debf4b3f7c7391cd8eb@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D8debf4b3f7c7391cd8eb Signed-off-by: Deepanshu Kartikey --- fs/hpfs/anode.c | XX insertions(+), X deletions(-) diff --git a/fs/hpfs/anode.c b/fs/hpfs/anode.c index XXXXXXX..YYYYYYY 100644 --- a/fs/hpfs/anode.c +++ b/fs/hpfs/anode.c @@ -XX,6 +XX,16 @@ secno hpfs_bplus_lookup(struct super_block *s, struct in= ode *inode, brelse(bh); if (!(anode =3D hpfs_map_anode(s --- fs/hpfs/anode.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 71 insertions(+), 3 deletions(-) diff --git a/fs/hpfs/anode.c b/fs/hpfs/anode.c index a4f5321eafae..826e2142223b 100644 --- a/fs/hpfs/anode.c +++ b/fs/hpfs/anode.c @@ -19,25 +19,87 @@ secno hpfs_bplus_lookup(struct super_block *s, struct i= node *inode, struct anode *anode; int i; int c1, c2 =3D 0; +=09 + printk(KERN_DEBUG "hpfs_bplus_lookup: ENTRY btree=3D%px bh=3D%px sec=3D%u= \n",=20 + btree, bh, sec); +=09 go_down: if (hpfs_sb(s)->sb_chk) if (hpfs_stop_cycles(s, a, &c1, &c2, "hpfs_bplus_= lookup")) return -1; +=09 + printk(KERN_DEBUG "hpfs_bplus_lookup: go_down - btree=3D%px bh=3D%px inte= rnal=3D%d n_used_nodes=3D%u\n", + btree, bh, bp_internal(btree), btree->n_used_nodes); +=09 if (bp_internal(btree)) { - for (i =3D 0; i < btree->n_used_nodes; i++) + printk(KERN_DEBUG "hpfs_bplus_lookup: Processing INTERNAL node\n"); + for (i =3D 0; i < btree->n_used_nodes; i++) { + printk(KERN_DEBUG "hpfs_bplus_lookup: internal[%d] file_secno=3D%u look= ing_for=3D%u\n", + i, le32_to_cpu(btree->u.internal[i].file_secno), sec); + =09 if (le32_to_cpu(btree->u.internal[i].file_secno) > sec) { a =3D le32_to_cpu(btree->u.internal[i].down); + =09 + printk(KERN_DEBUG "hpfs_bplus_lookup: Found match, going down to anode= =3D%08x\n", a); + printk(KERN_DEBUG "hpfs_bplus_lookup: BEFORE brelse - bh=3D%px btree= =3D%px\n", bh, btree); + =09 brelse(bh); - if (!(anode =3D hpfs_map_anode(s, a, &bh))) return -1; + =09 + printk(KERN_DEBUG "hpfs_bplus_lookup: AFTER brelse - calling hpfs_map_= anode\n"); + =09 + if (!(anode =3D hpfs_map_anode(s, a, &bh))) { + printk(KERN_ERR "hpfs_bplus_lookup: hpfs_map_anode FAILED for anode= =3D%08x\n", a); + return -1; + } + =09 + printk(KERN_DEBUG "hpfs_bplus_lookup: hpfs_map_anode SUCCESS - new_bh= =3D%px anode=3D%px\n", bh, anode); + =09 btree =3D GET_BTREE_PTR(&anode->btree); + /* Validate btree pointer is within buffer bounds */ + if ((unsigned long)btree < (unsigned long)bh->b_data || + (unsigned long)btree + sizeof(*btree) > (unsigned long)bh->b_data= + bh->b_size) { + printk(KERN_ERR "hpfs_bplus_lookup: INVALID btree pointer! btree= =3D%px buf_start=3D%px buf_end=3D%px\n", + btree, bh->b_data, (void *)((unsigned long)bh->b_data + bh= ->b_size)); + brelse(bh); + return -1; + } + + /* Validate n_used_nodes is reasonable */ + if (btree->n_used_nodes > 100) { /* Adjust based on actual max */ + printk(KERN_ERR "hpfs_bplus_lookup: SUSPICIOUS n_used_nodes=3D%u = (too large)\n", + btree->n_used_nodes); + brelse(bh); + return -1; + } =09 + printk(KERN_DEBUG "hpfs_bplus_lookup: NEW btree=3D%px (from anode->btr= ee)\n", btree); + =09 goto go_down; } + } hpfs_error(s, "sector %08x not found in internal anode %08x", sec, a); brelse(bh); return -1; } - for (i =3D 0; i < btree->n_used_nodes; i++) +=09 + printk(KERN_DEBUG "hpfs_bplus_lookup: Processing EXTERNAL node - btree=3D= %px bh=3D%px n_used_nodes=3D%u\n", + btree, bh, btree->n_used_nodes); +=09 + /* Add bounds checking */ + printk(KERN_DEBUG "hpfs_bplus_lookup: Buffer bounds - bh->b_data=3D%px si= ze=3D%zu btree=3D%px\n", + bh->b_data, bh->b_size, btree); +=09 + for (i =3D 0; i < btree->n_used_nodes; i++) { + printk(KERN_DEBUG "hpfs_bplus_lookup: external[%d] - accessing btree->u.= external[%d] at %px\n", + i, i, &btree->u.external[i]); + =09 + /* This is line 38 - the crash point */ + printk(KERN_DEBUG "hpfs_bplus_lookup: external[%d] - reading file_secno = from %px\n", + i, &btree->u.external[i].file_secno); + =09 if (le32_to_cpu(btree->u.external[i].file_secno) <=3D sec && le32_to_cpu(btree->u.external[i].file_secno) + le32_to_cpu(btree->u.= external[i].length) > sec) { a =3D le32_to_cpu(btree->u.external[i].disk_secno) + sec - le32_to_cpu(= btree->u.external[i].file_secno); + =09 + printk(KERN_DEBUG "hpfs_bplus_lookup: FOUND external match - disk_secno= =3D%u\n", a); + =09 if (hpfs_sb(s)->sb_chk) if (hpfs_chk_sectors(s, a, 1, "data")) { brelse(bh); return -1; @@ -49,10 +111,16 @@ secno hpfs_bplus_lookup(struct super_block *s, struct = inode *inode, hpfs_inode->i_n_secs =3D le32_to_cpu(btree->u.external[i].length); } brelse(bh); + =09 + printk(KERN_DEBUG "hpfs_bplus_lookup: EXIT SUCCESS - returning %u\n", a= ); return a; } + } +=09 hpfs_error(s, "sector %08x not found in external anode %08x", sec, a); brelse(bh); +=09 + printk(KERN_DEBUG "hpfs_bplus_lookup: EXIT FAILURE\n"); return -1; } =20 --=20 2.43.0