| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5b3c275b93ba5df4bdb42dc2a5342ebe63782337.camel@ibm.com>
Date: Wed, 21 Jan 2026 20:14:27 +0000
From: Viacheslav Dubeyko <Slava.Dubeyko@....com>
To: "glaubitz@...sik.fu-berlin.de" <glaubitz@...sik.fu-berlin.de>,
"frank.li@...o.com" <frank.li@...o.com>,
"slava@...eyko.com"
<slava@...eyko.com>,
"kartikey406@...il.com" <kartikey406@...il.com>
CC: "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"syzbot+d80abb5b890d39261e72@...kaller.appspotmail.com"
<syzbot+d80abb5b890d39261e72@...kaller.appspotmail.com>
Subject: Re: [PATCH v2] hfsplus: fix uninit-value in hfsplus_strcasecmp
On Wed, 2026-01-21 at 12:01 +0530, Deepanshu Kartikey wrote:
> Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp() during
> filesystem mount operations. The root cause is that hfsplus_find_cat()
> declares a local hfsplus_cat_entry variable without initialization before
> passing it to hfs_brec_read().
>
> When the filesystem image is corrupted or malformed (as syzbot fuzzes),
> hfs_brec_read() may read less data than sizeof(hfsplus_cat_entry). In such
> cases, the tmp.thread.nodeName.unicode array may only be partially filled,
> leaving remaining bytes uninitialized.
I still don't understand this point. Please, see my questions in the thread for
v1 of the patch. Could you please address my questions/worries?
Thanks,
Slava.
>
> hfsplus_cat_build_key_uni() then copies from this array based on
> nodeName.length. If the on-disk length field is corrupted or the array
> wasn't fully written by hfs_brec_read(), uninitialized stack data gets
> copied into the search key. When hfsplus_strcasecmp() subsequently reads
> these uninitialized bytes and uses them in case_fold() as an array index
> into hfsplus_case_fold_table, KMSAN detects the use of uninitialized values.
>
> Fix this by initializing tmp to zero, ensuring that even with corrupted
> filesystem images, no uninitialized data is propagated.
>
> Reported-by: syzbot+d80abb5b890d39261e72@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72
> Tested-by: syzbot+d80abb5b890d39261e72@...kaller.appspotmail.com
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Link: https://lore.kernel.org/all/20260120051114.1281285-1-kartikey406@gmail.com/T/ [v1]
> Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
> ---
> Changes in v2:
> - Use structure initialization (= {0}) instead of memset() as suggested
> by Viacheslav Dubeyko
> - Improved commit message to clarify how uninitialized data is used
> ---
> fs/hfsplus/catalog.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
> index 02c1eee4a4b8..56a53d2d437e 100644
> --- a/fs/hfsplus/catalog.c
> +++ b/fs/hfsplus/catalog.c
> @@ -194,7 +194,7 @@ static int hfsplus_fill_cat_thread(struct super_block *sb,
> int hfsplus_find_cat(struct super_block *sb, u32 cnid,
> struct hfs_find_data *fd)
> {
> - hfsplus_cat_entry tmp;
> + hfsplus_cat_entry tmp = {0};
> int err;
> u16 type;
>
Powered by blists - more mailing lists