From nobody Thu Apr 2 17:44:29 2026 Received: from mail-oa1-f69.google.com (mail-oa1-f69.google.com [209.85.160.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2D7AB155757 for ; Wed, 11 Feb 2026 15:05:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.69 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770822352; cv=none; b=U4sdqIx0IAo3J6d3CdqVYSlLaJ+T0S+H20zhGIwSM/DNfHH3M7M3pGgNyEmb5PYOYM5eAHOxFyFsBGUvKYLb8Ye+QnF06B+B0TpEfmIdiUaGqnXiQN/ubNM1NqCADJq3xJYKtV+xl/J3670GcGJ/4isfitEn3QFiEAjGJqAetaI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770822352; c=relaxed/simple; bh=OnsRGU6tGdzaq+UjMctsi8AkQbNqQR775wOMMjWdTrY=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=IHl9bbAezYWSwWPgD84s1c+dVEvh7fJiZ6Xx8y5Rh/0xm50BzvWpAe8efOcjnmAe4CRe9MzaY04gVsr8uzsMGwPSZ9BruVtqykf2IdUiObGW4+96b03mY7NKhEI1ncWcn69D9vshk5apM3U08AxcZ3CzO9NoueMODtwbBzXiDvs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.160.69 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oa1-f69.google.com with SMTP id 586e51a60fabf-40a5fc701e9so7011312fac.1 for ; Wed, 11 Feb 2026 07:05:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770822350; x=1771427150; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=CPNd8QeYUeLi6x9M6G83OKtre8GArkfbksIKjtXurAw=; b=lAf5S2fwgb/XIEE3NsDDt/jiDLx5vSeoCln0PchQ5RsZLPjcPttPBwsJrLI78IfrJR 2dh9P8IzEnd17ffp/0ucpGW2DSpflxoB40Y3p9qWClaYVP1LuRa3rUiPzAytcT/4QUzq t0Dud2rcsTFs3+BOglNIjh07kM1LoD0HxDEhVv25YgQ25RBIZlN8nbpXZl6z74YXIMOk +rueEoWrROnJ5YqENvthg3IU6MLJvp01FwbG/xTakYdZJmBQ64IqpgMAhi3IpYQiijAv fSlTIjQnkvOhEKYLEbVZrutq5tUEdfY9M0fqWoA4TcAHOE2Vb+o3yGaawSzqDGiccSJs uxxg== X-Gm-Message-State: AOJu0YwqVFhHeE8GhXeCFvlaDZt9DFnRZPKmvRclPneqtf+1OCW4cYie 2md8CFDuvPdjb6XNbf4X1JAH/wHCSE9d1U03zHICLMVvghdNZPs10YiqpyvTO5zxmkdVEhNj6Eu pK9/X9clWb0f4qQn+qRkId6LZH9NECziPG4GqrCg+R4WBAM713RDHVqyP+8I= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:4dce:b0:661:167b:72dd with SMTP id 006d021491bc7-66d0bea7d12mr8149773eaf.47.1770822350125; Wed, 11 Feb 2026 07:05:50 -0800 (PST) Date: Wed, 11 Feb 2026 07:05:50 -0800 In-Reply-To: <696ea368.a70a0220.34546f.04b7.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <698c9ace.050a0220.2eeac1.009a.GAE@google.com> Subject: Forwarded: [PATCH] hfsplus: fix uninit-value by validating catalog record size From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] hfsplus: fix uninit-value by validating catalog record size Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git= master Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read. When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed: HFSPLUS_BREC_READ: rec_len=3D520, fd->entrylength=3D26 HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL R= EAD! hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized. This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold(). Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field: - Fixed size for folder and file records - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed. Reported-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dd80abb5b890d39261e72 Debugged-by: Viacheslav Dubeyko Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Deepanshu Kartikey --- fs/hfsplus/bfind.c | 59 +++++++++++++++++++++++++++++++++++++++++ fs/hfsplus/catalog.c | 4 +-- fs/hfsplus/dir.c | 2 +- fs/hfsplus/hfsplus_fs.h | 3 +++ fs/hfsplus/super.c | 2 +- 5 files changed, 66 insertions(+), 4 deletions(-) diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c index 9b89dce00ee9..fe75f3f2c17a 100644 --- a/fs/hfsplus/bfind.c +++ b/fs/hfsplus/bfind.c @@ -297,3 +297,62 @@ int hfs_brec_goto(struct hfs_find_data *fd, int cnt) fd->bnode =3D bnode; return res; } + +/** + * hfsplus_cat_thread_size - calculate expected size of a catalog thread r= ecord + * @thread: pointer to the thread record + * + * Returns the expected size based on the string length + */ +u32 hfsplus_cat_thread_size(const struct hfsplus_cat_thread *thread) +{ + return offsetof(struct hfsplus_cat_thread, nodeName) + + offsetof(struct hfsplus_unistr, unicode) + + be16_to_cpu(thread->nodeName.length) * sizeof(hfsplus_unichr); +} + +/** + * hfsplus_brec_read_cat - read and validate a catalog record + * @fd: find data structure + * @entry: pointer to catalog entry to read into + * + * Reads a catalog record and validates its size matches the expected + * size based on the record type. + * + * Returns 0 on success, or negative error code on failure. + */ +int hfsplus_brec_read_cat(struct hfs_find_data *fd, hfsplus_cat_entry *ent= ry) +{ + int res; + u32 expected_size; + + res =3D hfs_brec_read(fd, entry, sizeof(hfsplus_cat_entry)); + if (res) + return res; + + /* Validate catalog record size based on type */ + switch (be16_to_cpu(entry->type)) { + case HFSPLUS_FOLDER: + expected_size =3D sizeof(struct hfsplus_cat_folder); + break; + case HFSPLUS_FILE: + expected_size =3D sizeof(struct hfsplus_cat_file); + break; + case HFSPLUS_FOLDER_THREAD: + case HFSPLUS_FILE_THREAD: + expected_size =3D hfsplus_cat_thread_size(&entry->thread); + break; + default: + pr_err("unknown catalog record type %d\n", + be16_to_cpu(entry->type)); + return -EIO; + } + + if (fd->entrylength !=3D expected_size) { + pr_err("catalog record size mismatch (type %d, got %u, expected %u)\n", + be16_to_cpu(entry->type), fd->entrylength, expected_size); + return -EIO; + } + + return 0; +} diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c index 02c1eee4a4b8..6c8380f7208d 100644 --- a/fs/hfsplus/catalog.c +++ b/fs/hfsplus/catalog.c @@ -194,12 +194,12 @@ static int hfsplus_fill_cat_thread(struct super_block= *sb, int hfsplus_find_cat(struct super_block *sb, u32 cnid, struct hfs_find_data *fd) { - hfsplus_cat_entry tmp; + hfsplus_cat_entry tmp =3D {0}; int err; u16 type; =20 hfsplus_cat_build_key_with_cnid(sb, fd->search_key, cnid); - err =3D hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry)); + err =3D hfsplus_brec_read_cat(fd, &tmp); if (err) return err; =20 diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c index cadf0b5f9342..d86e2f7b289c 100644 --- a/fs/hfsplus/dir.c +++ b/fs/hfsplus/dir.c @@ -49,7 +49,7 @@ static struct dentry *hfsplus_lookup(struct inode *dir, s= truct dentry *dentry, if (unlikely(err < 0)) goto fail; again: - err =3D hfs_brec_read(&fd, &entry, sizeof(entry)); + err =3D hfsplus_brec_read_cat(&fd, &entry); if (err) { if (err =3D=3D -ENOENT) { hfs_find_exit(&fd); diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h index 45fe3a12ecba..5efb5d176cd9 100644 --- a/fs/hfsplus/hfsplus_fs.h +++ b/fs/hfsplus/hfsplus_fs.h @@ -506,6 +506,9 @@ int hfsplus_submit_bio(struct super_block *sb, sector_t= sector, void *buf, void **data, blk_opf_t opf); int hfsplus_read_wrapper(struct super_block *sb); =20 +u32 hfsplus_cat_thread_size(const struct hfsplus_cat_thread *thread); +int hfsplus_brec_read_cat(struct hfs_find_data *fd, hfsplus_cat_entry *ent= ry); + /* * time helpers: convert between 1904-base and 1970-base timestamps * diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c index aaffa9e060a0..e59611a664ef 100644 --- a/fs/hfsplus/super.c +++ b/fs/hfsplus/super.c @@ -567,7 +567,7 @@ static int hfsplus_fill_super(struct super_block *sb, s= truct fs_context *fc) err =3D hfsplus_cat_build_key(sb, fd.search_key, HFSPLUS_ROOT_CNID, &str); if (unlikely(err < 0)) goto out_put_root; - if (!hfs_brec_read(&fd, &entry, sizeof(entry))) { + if (!hfsplus_brec_read_cat(&fd, &entry)) { hfs_find_exit(&fd); if (entry.type !=3D cpu_to_be16(HFSPLUS_FOLDER)) { err =3D -EIO; --=20 2.43.0