lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251006223805.139206-1-nirbhay.lkd@gmail.com>
Date: Tue,  7 Oct 2025 04:08:04 +0530
From: Nirbhay Sharma <nirbhay.lkd@...il.com>
To: Konstantin Komarov <almaz.alexandrovich@...agon-software.com>
Cc: david.hunter.linux@...il.com,
	skhan@...uxfoundation.org,
	linux-kernel-mentees@...ts.linuxfoundation.org,
	khalid@...nel.org,
	Nirbhay Sharma <nirbhay.lkd@...il.com>,
	syzbot+83c9dd5c0dcf6184fdbf@...kaller.appspotmail.com,
	ntfs3@...ts.linux.dev,
	linux-kernel@...r.kernel.org
Subject: [PATCH] fs/ntfs3: fix KMSAN uninit-value in ni_create_attr_list

The call to kmalloc() to allocate the attribute list buffer is given a
size of al_aligned(rs). This size can be larger than the data
subsequently copied into the buffer, leaving trailing bytes uninitialized.

This can trigger a KMSAN "uninit-value" warning if that memory is
later accessed.

Fix this by using kzalloc() instead, which ensures the entire
allocated buffer is zero-initialized, preventing the warning.

Reported-by: syzbot+83c9dd5c0dcf6184fdbf@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=83c9dd5c0dcf6184fdbf
Signed-off-by: Nirbhay Sharma <nirbhay.lkd@...il.com>
---
The following syzbot test commands were used to verify the fix against
both linux-next and a specific mainline commit. Both kernels were
configured with CONFIG_KMSAN=y, and no KMSAN warnings were observed
with the patch applied.

An attempt to test against the latest mainline tip failed due to an
unrelated boot failure in the SCSI subsystem (KMSAN: use-after-free in
scsi_get_vpd_buf). Therefore, testing was done on the last known-good
mainline commit below.

For mainline commit 9b0d551bcc05 ("Merge tag 'pull-misc' of..."):
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 9b0d551bcc05

For the linux-next branch:
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

 fs/ntfs3/frecord.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
index 8f9fe1d7a690..4fe8da7fc034 100644
--- a/fs/ntfs3/frecord.c
+++ b/fs/ntfs3/frecord.c
@@ -767,7 +767,7 @@ int ni_create_attr_list(struct ntfs_inode *ni)
 	 * Skip estimating exact memory requirement.
 	 * Looks like one record_size is always enough.
 	 */
-	le = kmalloc(al_aligned(rs), GFP_NOFS);
+	le = kzalloc(al_aligned(rs), GFP_NOFS);
 	if (!le)
 		return -ENOMEM;
 
-- 
2.51.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ