lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <696af4b6.050a0220.3390f1.0001.GAE@google.com>
Date: Fri, 16 Jan 2026 18:32:22 -0800
From: syzbot <syzbot+8debf4b3f7c7391cd8eb@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: [PATCH] hpfs: add buffer bounds validation in hpfs_bplus_lookup

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: [PATCH] hpfs: add buffer bounds validation in hpfs_bplus_lookup
Author: kartikey406@...il.com


#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

When traversing the B+ tree in a corrupted HPFS filesystem, the btree
pointer obtained from GET_BTREE_PTR() may point outside the mapped
buffer's bounds if the on-disk data structures are malformed. This
leads to a use-after-free when accessing btree->u.external[i] as the
memory may have been freed and reallocated.

Additionally, a corrupted n_used_nodes value can cause out-of-bounds
array access when iterating through btree->u.internal[] or
btree->u.external[] arrays.

Add validation to ensure:
1. The btree pointer stays within the mapped buffer boundaries
2. The n_used_nodes value is within reasonable limits

This prevents KASAN-detected use-after-free when processing malicious
HPFS filesystem images.

Reported-by: syzbot+8debf4b3f7c7391cd8eb@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb
Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
---
 fs/hpfs/anode.c | XX insertions(+), X deletions(-)

diff --git a/fs/hpfs/anode.c b/fs/hpfs/anode.c
index XXXXXXX..YYYYYYY 100644
--- a/fs/hpfs/anode.c
+++ b/fs/hpfs/anode.c
@@ -XX,6 +XX,16 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
 				brelse(bh);
 				if (!(anode = hpfs_map_anode(s
---
 fs/hpfs/anode.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 71 insertions(+), 3 deletions(-)

diff --git a/fs/hpfs/anode.c b/fs/hpfs/anode.c
index a4f5321eafae..826e2142223b 100644
--- a/fs/hpfs/anode.c
+++ b/fs/hpfs/anode.c
@@ -19,25 +19,87 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
 	struct anode *anode;
 	int i;
 	int c1, c2 = 0;
+	
+	printk(KERN_DEBUG "hpfs_bplus_lookup: ENTRY btree=%px bh=%px sec=%u\n", 
+	       btree, bh, sec);
+	
 	go_down:
 	if (hpfs_sb(s)->sb_chk) if (hpfs_stop_cycles(s, a, &c1, &c2, "hpfs_bplus_lookup")) return -1;
+	
+	printk(KERN_DEBUG "hpfs_bplus_lookup: go_down - btree=%px bh=%px internal=%d n_used_nodes=%u\n",
+	       btree, bh, bp_internal(btree), btree->n_used_nodes);
+	
 	if (bp_internal(btree)) {
-		for (i = 0; i < btree->n_used_nodes; i++)
+		printk(KERN_DEBUG "hpfs_bplus_lookup: Processing INTERNAL node\n");
+		for (i = 0; i < btree->n_used_nodes; i++) {
+			printk(KERN_DEBUG "hpfs_bplus_lookup: internal[%d] file_secno=%u looking_for=%u\n",
+			       i, le32_to_cpu(btree->u.internal[i].file_secno), sec);
+			
 			if (le32_to_cpu(btree->u.internal[i].file_secno) > sec) {
 				a = le32_to_cpu(btree->u.internal[i].down);
+				
+				printk(KERN_DEBUG "hpfs_bplus_lookup: Found match, going down to anode=%08x\n", a);
+				printk(KERN_DEBUG "hpfs_bplus_lookup: BEFORE brelse - bh=%px btree=%px\n", bh, btree);
+				
 				brelse(bh);
-				if (!(anode = hpfs_map_anode(s, a, &bh))) return -1;
+				
+				printk(KERN_DEBUG "hpfs_bplus_lookup: AFTER brelse - calling hpfs_map_anode\n");
+				
+				if (!(anode = hpfs_map_anode(s, a, &bh))) {
+					printk(KERN_ERR "hpfs_bplus_lookup: hpfs_map_anode FAILED for anode=%08x\n", a);
+					return -1;
+				}
+				
+				printk(KERN_DEBUG "hpfs_bplus_lookup: hpfs_map_anode SUCCESS - new_bh=%px anode=%px\n", bh, anode);
+				
 				btree = GET_BTREE_PTR(&anode->btree);
+				/* Validate btree pointer is within buffer bounds */
+				if ((unsigned long)btree < (unsigned long)bh->b_data ||
+    					(unsigned long)btree + sizeof(*btree) > (unsigned long)bh->b_data + bh->b_size) {
+    					printk(KERN_ERR "hpfs_bplus_lookup: INVALID btree pointer! btree=%px buf_start=%px buf_end=%px\n",
+           					btree, bh->b_data, (void *)((unsigned long)bh->b_data + bh->b_size));
+    					brelse(bh);
+    					return -1;
+				}
+
+				/* Validate n_used_nodes is reasonable */
+				if (btree->n_used_nodes > 100) {  /* Adjust based on actual max */
+    					printk(KERN_ERR "hpfs_bplus_lookup: SUSPICIOUS n_used_nodes=%u (too large)\n",
+           					btree->n_used_nodes);
+    					brelse(bh);
+    					return -1;
+				}				
+				printk(KERN_DEBUG "hpfs_bplus_lookup: NEW btree=%px (from anode->btree)\n", btree);
+				
 				goto go_down;
 			}
+		}
 		hpfs_error(s, "sector %08x not found in internal anode %08x", sec, a);
 		brelse(bh);
 		return -1;
 	}
-	for (i = 0; i < btree->n_used_nodes; i++)
+	
+	printk(KERN_DEBUG "hpfs_bplus_lookup: Processing EXTERNAL node - btree=%px bh=%px n_used_nodes=%u\n",
+	       btree, bh, btree->n_used_nodes);
+	
+	/* Add bounds checking */
+	printk(KERN_DEBUG "hpfs_bplus_lookup: Buffer bounds - bh->b_data=%px size=%zu btree=%px\n",
+	       bh->b_data, bh->b_size, btree);
+	
+	for (i = 0; i < btree->n_used_nodes; i++) {
+		printk(KERN_DEBUG "hpfs_bplus_lookup: external[%d] - accessing btree->u.external[%d] at %px\n",
+		       i, i, &btree->u.external[i]);
+		
+		/* This is line 38 - the crash point */
+		printk(KERN_DEBUG "hpfs_bplus_lookup: external[%d] - reading file_secno from %px\n",
+		       i, &btree->u.external[i].file_secno);
+		
 		if (le32_to_cpu(btree->u.external[i].file_secno) <= sec &&
 		    le32_to_cpu(btree->u.external[i].file_secno) + le32_to_cpu(btree->u.external[i].length) > sec) {
 			a = le32_to_cpu(btree->u.external[i].disk_secno) + sec - le32_to_cpu(btree->u.external[i].file_secno);
+			
+			printk(KERN_DEBUG "hpfs_bplus_lookup: FOUND external match - disk_secno=%u\n", a);
+			
 			if (hpfs_sb(s)->sb_chk) if (hpfs_chk_sectors(s, a, 1, "data")) {
 				brelse(bh);
 				return -1;
@@ -49,10 +111,16 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
 				hpfs_inode->i_n_secs = le32_to_cpu(btree->u.external[i].length);
 			}
 			brelse(bh);
+			
+			printk(KERN_DEBUG "hpfs_bplus_lookup: EXIT SUCCESS - returning %u\n", a);
 			return a;
 		}
+	}
+	
 	hpfs_error(s, "sector %08x not found in external anode %08x", sec, a);
 	brelse(bh);
+	
+	printk(KERN_DEBUG "hpfs_bplus_lookup: EXIT FAILURE\n");
 	return -1;
 }
 
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ