From: syzbot <syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] hfsplus: fix uninit-value in hfsplus_strcasecmp
Date: Mon, 19 Jan 2026 20:33:45 -0800 [thread overview]
Message-ID: <696f05a9.a00a0220.3ad28e.0003.GAE@google.com> (raw)
In-Reply-To: <696ea368.a70a0220.34546f.04b7.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] hfsplus: fix uninit-value in hfsplus_strcasecmp
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp() during
filesystem mount operations. The root cause is that hfsplus_find_cat()
declares a local hfsplus_cat_entry variable without initialization before
passing it to hfs_brec_read().
If hfs_brec_read() doesn't completely fill the entire structure (e.g., when
the on-disk data is shorter than sizeof(hfsplus_cat_entry)), the padding
bytes in tmp.thread.nodeName remain uninitialized. These uninitialized
bytes are then copied by hfsplus_cat_build_key_uni() into the search key,
and subsequently accessed by hfsplus_strcasecmp() during catalog lookups,
triggering the KMSAN warning.
Fix this by zeroing the tmp variable before use to ensure all padding
bytes are initialized.
Reported-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
fs/hfsplus/catalog.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
index 02c1eee4a4b8..9c75d1736427 100644
--- a/fs/hfsplus/catalog.c
+++ b/fs/hfsplus/catalog.c
@@ -199,6 +199,7 @@ int hfsplus_find_cat(struct super_block *sb, u32 cnid,
u16 type;
hfsplus_cat_build_key_with_cnid(sb, fd->search_key, cnid);
+ memset(&tmp, 0, sizeof(tmp));
err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
if (err)
return err;
--
2.43.0
next prev parent reply other threads:[~2026-01-20 4:33 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-19 21:34 [syzbot] [hfs?] KMSAN: uninit-value in hfsplus_strcasecmp (2) syzbot
2026-01-20 4:33 ` syzbot [this message]
2026-01-21 5:15 ` Forwarded: [PATCH] hfsplus: add debug printk to show uninitialized values in case_fold syzbot
2026-01-21 5:24 ` syzbot
2026-01-21 5:50 ` syzbot
2026-01-22 8:42 ` Forwarded: [PATCH] hfsplus: add debug printk to show partial reads in hfs_brec_read syzbot
2026-01-22 23:34 ` syzbot
2026-02-11 15:05 ` Forwarded: [PATCH] hfsplus: fix uninit-value by validating catalog record size syzbot
2026-02-13 4:50 ` Forwarded: [PATCH v4] " syzbot
2026-02-21 4:59 ` Forwarded: [PATCH] " syzbot
2026-03-07 0:25 ` Forwarded: [PATCH v6] " syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=696f05a9.a00a0220.3ad28e.0003.GAE@google.com \
--to=syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.