]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
projects / thirdparty / kernel / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ee8422d) | patch
hfsplus: fix uninit-value by validating catalog record size
authorDeepanshu Kartikey <kartikey406@gmail.com>
Sat, 7 Mar 2026 01:03:02 +0000 (06:33 +0530)
committerViacheslav Dubeyko <slava@dubeyko.com>
Mon, 9 Mar 2026 17:16:09 +0000 (10:16 -0700)
commitb6b592275aeff184aa82fcf6abccd833fb71b393
treeb7ada149a3d04389167c61c57147cb72ffe59761tree | snapshot
parentee8422d00b7cfa028823ebf1f28bf9dea428cac3commit | diff
hfsplus: fix uninit-value by validating catalog record size

Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The
root cause is that hfs_brec_read() doesn't validate that the on-disk
record size matches the expected size for the record type being read.

When mounting a corrupted filesystem, hfs_brec_read() may read less data
than expected. For example, when reading a catalog thread record, the
debug output showed:

  HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26
  HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!

hfs_brec_read() only validates that entrylength is not greater than the
buffer size, but doesn't check if it's less than expected. It successfully
reads 26 bytes into a 520-byte structure and returns success, leaving 494
bytes uninitialized.

This uninitialized data in tmp.thread.nodeName then gets copied by
hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering
the KMSAN warning when the uninitialized bytes are used as array indices
in case_fold().

Fix by introducing hfsplus_brec_read_cat() wrapper that:
1. Calls hfs_brec_read() to read the data
2. Validates the record size based on the type field:
   - Fixed size for folder and file records
   - Variable size for thread records (depends on string length)
3. Returns -EIO if size doesn't match expected

For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading
nodeName.length to avoid reading uninitialized data at call sites that
don't zero-initialize the entry structure.

Also initialize the tmp variable in hfsplus_find_cat() as defensive
programming to ensure no uninitialized data even if validation is
bypassed.

Reported-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Tested-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Tested-by: Viacheslav Dubeyko <slava@dubeyko.com>
Suggested-by: Charalampos Mitrodimas <charmitro@posteo.net>
Link: https://lore.kernel.org/all/20260120051114.1281285-1-kartikey406@gmail.com/
Link: https://lore.kernel.org/all/20260121063109.1830263-1-kartikey406@gmail.com/
Link: https://lore.kernel.org/all/20260212014233.2422046-1-kartikey406@gmail.com/
Link: https://lore.kernel.org/all/20260214002100.436125-1-kartikey406@gmail.com/T/
Link: https://lore.kernel.org/all/20260221061626.15853-1-kartikey406@gmail.com/T/
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20260307010302.41547-1-kartikey406@gmail.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
fs/hfsplus/bfind.c diff | blob | blame | history
fs/hfsplus/catalog.c diff | blob | blame | history
fs/hfsplus/dir.c diff | blob | blame | history
fs/hfsplus/hfsplus_fs.h diff | blob | blame | history
fs/hfsplus/super.c diff | blob | blame | history
A mirror of Linus' kernel repository