git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Qing Wang <wangqing7171@gmail.com>
	Wed, 28 Jan 2026 13:24:04 +0000 (14:24 +0100)
committer	Christian Brauner <brauner@kernel.org>
	Thu, 29 Jan 2026 09:06:59 +0000 (10:06 +0100)
commit	1992330d90dd766fcf1730fd7bf2d6af65370ac4
tree	7b65daa79c82e8ada7a1deee6b23e59ebb2a9619	tree
parent	9396bfdacb5aa2bcb3d2242b0de527e7d4f8a3cd	commit \| diff

ovl: Fix uninit-value in ovl_fill_real

Syzbot reported a KMSAN uninit-value issue in ovl_fill_real.

This iusse's call chain is:
__do_sys_getdents64()
    -> iterate_dir()
        ...
            -> ext4_readdir()
                -> fscrypt_fname_alloc_buffer() // alloc
                -> fscrypt_fname_disk_to_usr // write without tail '\0'
                -> dir_emit()
                    -> ovl_fill_real() // read by strcmp()

The string is used to store the decrypted directory entry name for an
encrypted inode. As shown in the call chain, fscrypt_fname_disk_to_usr()
write it without null-terminate. However, ovl_fill_real() uses strcmp() to
compare the name against "..", which assumes a null-terminated string and
may trigger a KMSAN uninit-value warning when the buffer tail contains
uninit data.

Reported-by: syzbot+d130f98b2c265fae5297@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d130f98b2c265fae5297
Fixes: 4edb83bb1041 ("ovl: constant d_ino for non-merge dirs")
Signed-off-by: Qing Wang <wangqing7171@gmail.com>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Link: https://patch.msgid.link/20260128132406.23768-2-amir73il@gmail.com
Acked-by: Miklos Szeredi <mszeredi@redhat.com>
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>