All of lore.kernel.org
 help / color / mirror / Atom feed
From: kernel test robot <lkp@intel.com>
To: "k.chen" <k.chen@smail.nju.edu.cn>
Cc: llvm@lists.linux.dev, oe-kbuild-all@lists.linux.dev,
	slava@dubeyko.com, frank.li@vivo.com,
	linux-fsdevel@vger.kernel.org, glaubitz@physik.fu-berlin.de,
	wenzhi.wang@uwaterloo.ca, liushixin2@huawei.com,
	"k.chen" <k.chen@smail.nju.edu.cn>
Subject: Re: [PATCH] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
Date: Sun, 7 Sep 2025 05:37:51 +0800	[thread overview]
Message-ID: <202509070516.2i61Okso-lkp@intel.com> (raw)
In-Reply-To: <20250906100923.444243-1-k.chen@smail.nju.edu.cn>

Hi k.chen,

kernel test robot noticed the following build errors:

[auto build test ERROR on linus/master]
[also build test ERROR on v6.17-rc4 next-20250905]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/k-chen/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc/20250906-181212
base:   linus/master
patch link:    https://lore.kernel.org/r/20250906100923.444243-1-k.chen%40smail.nju.edu.cn
patch subject: [PATCH] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
config: arm-randconfig-002-20250907 (https://download.01.org/0day-ci/archive/20250907/202509070516.2i61Okso-lkp@intel.com/config)
compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 7fb1dc08d2f025aad5777bb779dfac1197e9ef87)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250907/202509070516.2i61Okso-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202509070516.2i61Okso-lkp@intel.com/

All errors (new ones prefixed by >>):

>> fs/hfsplus/xattr.c:739:9: error: incompatible pointer types passing 'const struct hfsplus_attr_unistr *' to parameter of type 'const struct hfsplus_unistr *' [-Werror,-Wincompatible-pointer-types]
     739 |                                     (const struct hfsplus_attr_unistr *)&fd.key
         |                                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     740 |                                             ->attr.key_name,
         |                                             ~~~~~~~~~~~~~~~
   fs/hfsplus/hfsplus_fs.h:524:74: note: passing argument to parameter 'ustr' here
     524 | int hfsplus_uni2asc(struct super_block *sb, const struct hfsplus_unistr *ustr,
         |                                                                          ^
   1 error generated.


vim +739 fs/hfsplus/xattr.c

   675	
   676	ssize_t hfsplus_listxattr(struct dentry *dentry, char *buffer, size_t size)
   677	{
   678		ssize_t err;
   679		ssize_t res;
   680		struct inode *inode = d_inode(dentry);
   681		struct hfs_find_data fd;
   682		struct hfsplus_attr_key attr_key;
   683		char *strbuf;
   684		int xattr_name_len;
   685	
   686		if ((!S_ISREG(inode->i_mode) &&
   687				!S_ISDIR(inode->i_mode)) ||
   688					HFSPLUS_IS_RSRC(inode))
   689			return -EOPNOTSUPP;
   690	
   691		res = hfsplus_listxattr_finder_info(dentry, buffer, size);
   692		if (res < 0)
   693			return res;
   694		else if (!HFSPLUS_SB(inode->i_sb)->attr_tree)
   695			return (res == 0) ? -EOPNOTSUPP : res;
   696	
   697		err = hfs_find_init(HFSPLUS_SB(inode->i_sb)->attr_tree, &fd);
   698		if (err) {
   699			pr_err("can't init xattr find struct\n");
   700			return err;
   701		}
   702	
   703		strbuf = kzalloc(NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN +
   704				XATTR_MAC_OSX_PREFIX_LEN + 1, GFP_KERNEL);
   705		if (!strbuf) {
   706			res = -ENOMEM;
   707			goto out;
   708		}
   709	
   710		err = hfsplus_find_attr(inode->i_sb, inode->i_ino, NULL, &fd);
   711		if (err) {
   712			if (err == -ENOENT) {
   713				if (res == 0)
   714					res = -ENODATA;
   715				goto end_listxattr;
   716			} else {
   717				res = err;
   718				goto end_listxattr;
   719			}
   720		}
   721	
   722		for (;;) {
   723			u16 key_len = hfs_bnode_read_u16(fd.bnode, fd.keyoffset);
   724	
   725			if (key_len == 0 || key_len > fd.tree->max_key_len) {
   726				pr_err("invalid xattr key length: %d\n", key_len);
   727				res = -EIO;
   728				goto end_listxattr;
   729			}
   730	
   731			hfs_bnode_read(fd.bnode, &attr_key,
   732					fd.keyoffset, key_len + sizeof(key_len));
   733	
   734			if (be32_to_cpu(attr_key.cnid) != inode->i_ino)
   735				goto end_listxattr;
   736	
   737			xattr_name_len = NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN;
   738			if (hfsplus_uni2asc(inode->i_sb,
 > 739					    (const struct hfsplus_attr_unistr *)&fd.key
   740						    ->attr.key_name,
   741					    HFSPLUS_ATTR_MAX_STRLEN, strbuf,
   742					    &xattr_name_len)) {
   743				pr_err("unicode conversion failed\n");
   744				res = -EIO;
   745				goto end_listxattr;
   746			}
   747	
   748			if (!buffer || !size) {
   749				if (can_list(strbuf))
   750					res += name_len(strbuf, xattr_name_len);
   751			} else if (can_list(strbuf)) {
   752				if (size < (res + name_len(strbuf, xattr_name_len))) {
   753					res = -ERANGE;
   754					goto end_listxattr;
   755				} else
   756					res += copy_name(buffer + res,
   757							strbuf, xattr_name_len);
   758			}
   759	
   760			if (hfs_brec_goto(&fd, 1))
   761				goto end_listxattr;
   762		}
   763	
   764	end_listxattr:
   765		kfree(strbuf);
   766	out:
   767		hfs_find_exit(&fd);
   768		return res;
   769	}
   770	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

  parent reply	other threads:[~2025-09-06 21:38 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-06 10:09 [PATCH] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() k.chen
2025-09-06 11:32 ` Greg KH
2025-09-06 21:37 ` kernel test robot [this message]
  -- strict thread matches above, loose matches on Subject: below --
2025-07-03 18:41 Viacheslav Dubeyko
2025-07-09  5:10 ` Yangtao Li
2025-07-09 18:19   ` Viacheslav Dubeyko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202509070516.2i61Okso-lkp@intel.com \
    --to=lkp@intel.com \
    --cc=frank.li@vivo.com \
    --cc=glaubitz@physik.fu-berlin.de \
    --cc=k.chen@smail.nju.edu.cn \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=liushixin2@huawei.com \
    --cc=llvm@lists.linux.dev \
    --cc=oe-kbuild-all@lists.linux.dev \
    --cc=slava@dubeyko.com \
    --cc=wenzhi.wang@uwaterloo.ca \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.