From 1336b22bb9f3ff4e144c4122a4b4b13c53e682a7 Mon Sep 17 00:00:00 2001
From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
Date: Thu, 20 Nov 2025 00:44:21 +0530
Subject: [PATCH] hfsplus: fix uninit-value in hfsplus_cat_build_record

The root cause is in hfsplus_cat_build_record(), which builds catalog
entries using the union hfsplus_cat_entry. This union contains three
members with significantly different sizes:

  struct hfsplus_cat_folder folder;    (88 bytes)
  struct hfsplus_cat_file file;        (248 bytes)
  struct hfsplus_cat_thread thread;    (520 bytes)

The function was only zeroing the specific member being used (folder or
file), not the entire union. This left significant uninitialized data:

  For folders: 520 - 88  = 432 bytes uninitialized
  For files:   520 - 248 = 272 bytes uninitialized

This uninitialized data was then written to disk via hfs_brec_insert(),
read back through the loop device, and eventually copied to userspace
via filemap_read(), resulting in a leak of kernel stack memory.
Fix this by zeroing the entire union before initializing the specific
member. This ensures no uninitialized bytes remain.

Reported-by: syzbot+905d785c4923bea2c1db@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=905d785c4923bea2c1db
Fixes: 1da177e4c3f4

Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
---
 fs/hfsplus/catalog.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
index 02c1eee4a4b8..4d42e7139f3b 100644
--- a/fs/hfsplus/catalog.c
+++ b/fs/hfsplus/catalog.c
@@ -111,7 +111,8 @@ static int hfsplus_cat_build_record(hfsplus_cat_entry *entry,
 		struct hfsplus_cat_folder *folder;
 
 		folder = &entry->folder;
-		memset(folder, 0, sizeof(*folder));
+		/* Zero the entire union to avoid leaking uninitialized data */
+		memset(entry, 0, sizeof(*entry));
 		folder->type = cpu_to_be16(HFSPLUS_FOLDER);
 		if (test_bit(HFSPLUS_SB_HFSX, &sbi->flags))
 			folder->flags |= cpu_to_be16(HFSPLUS_HAS_FOLDER_COUNT);
@@ -130,7 +131,8 @@ static int hfsplus_cat_build_record(hfsplus_cat_entry *entry,
 		struct hfsplus_cat_file *file;
 
 		file = &entry->file;
-		memset(file, 0, sizeof(*file));
+		/* Zero the entire union to avoid leaking uninitialized data */
+		memset(entry, 0, sizeof(*entry));
 		file->type = cpu_to_be16(HFSPLUS_FILE);
 		file->flags = cpu_to_be16(HFSPLUS_FILE_THREAD_EXISTS);
 		file->id = cpu_to_be32(cnid);
-- 
2.34.1