git.ipfire.org Git - thirdparty/linux.git/commit

author	Tristan Madani <tristan@talencesecurity.com>
	Tue, 5 May 2026 11:12:59 +0000 (11:12 +0000)
committer	Viacheslav Dubeyko <slava@dubeyko.com>
	Thu, 7 May 2026 22:07:20 +0000 (15:07 -0700)
commit	d67aadee19ffdf3cc8520c5a4f4d5b2916d30baf
tree	8a2b10c1dc071ebbbf2470230a43b021ef92f7f9	tree \| snapshot
parent	966cb76fb2857a4242cab6ea2ea17acf818a3da7	commit \| diff

hfs/hfsplus: zero-initialize buffer in hfs_bnode_read

hfs_bnode_read() can return early without writing to the output buffer
when is_bnode_offset_valid() fails or when check_and_correct_requested_
length() corrects the length to zero. Callers such as hfs_bnode_read_
u16() and hfs_bnode_read_u8() pass stack-allocated buffers and use the
result unconditionally, leading to KMSAN uninit-value reports.

Rather than initializing at each individual call site, zero the buffer
at the start of hfs_bnode_read() before any validation checks. This
ensures all callers in both hfs and hfsplus get a deterministic zero
value regardless of which early-return path is taken.

Reported-by: syzbot+217eb327242d08197efb@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
Tested-by: syzbot+217eb327242d08197efb@syzkaller.appspotmail.com
Fixes: a431930c9bac ("hfs: fix slab-out-of-bounds in hfs_bnode_read()")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20260505111300.3592757-3-tristmd@gmail.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>

fs/hfs/bnode.c		diff \| blob \| blame \| history
fs/hfsplus/bnode.c		diff \| blob \| blame \| history