[PATCH] hfs: use kzalloc in hfs_find_init() to fix KMSAN bug

[PATCH] hfs: use kzalloc in hfs_find_init() to fix KMSAN bug

[Gianfranco Trad]

Syzbot reports KMSAN uninit-value use in hfs_free_fork [1].
Use kzalloc() instead of kmalloc() to zero-init fd->search_key
in hfs_find_init() in order to mitigate such KMSAN bug.

[1] https://syzkaller.appspot.com/bug?extid=2e6fb1f89ce5e13cd02d

Reported-by: syzbot+2e6fb1f89ce5e13cd02d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2e6fb1f89ce5e13cd02d
Tested-by: syzbot+2e6fb1f89ce5e13cd02d@syzkaller.appspotmail.com
Signed-off-by: Gianfranco Trad <gianf.trad@gmail.com>
---

Notes: since there's no maintainer for hfs I included Andrew as stated
in the Documentation. I also considered to include the top 2 commiters
to hfs subsytem given by scripts/get_maintainers.pl. Hope it's not a
problem, if so apologies.

 fs/hfs/bfind.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c
index ef9498a6e88a..c74d864bc29e 100644
--- a/fs/hfs/bfind.c
+++ b/fs/hfs/bfind.c
@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
 
 	fd->tree = tree;
 	fd->bnode = NULL;
-	ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+	ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
 	if (!ptr)
 		return -ENOMEM;
 	fd->search_key = ptr;
-- 
2.43.0

Re: [PATCH] hfs: use kzalloc in hfs_find_init() to fix KMSAN bug

[Gianfranco Trad]

On 23/10/24 00:57, Gianfranco Trad wrote:
> Syzbot reports KMSAN uninit-value use in hfs_free_fork [1].
> Use kzalloc() instead of kmalloc() to zero-init fd->search_key
> in hfs_find_init() in order to mitigate such KMSAN bug.
> 
> [1] https://syzkaller.appspot.com/bug?extid=2e6fb1f89ce5e13cd02d
> 
> Reported-by: syzbot+2e6fb1f89ce5e13cd02d@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=2e6fb1f89ce5e13cd02d
> Tested-by: syzbot+2e6fb1f89ce5e13cd02d@syzkaller.appspotmail.com
> Signed-off-by: Gianfranco Trad <gianf.trad@gmail.com>
> ---
> 
> Notes: since there's no maintainer for hfs I included Andrew as stated
> in the Documentation. I also considered to include the top 2 commiters
> to hfs subsytem given by scripts/get_maintainers.pl. Hope it's not a
> problem, if so apologies.
> 
>   fs/hfs/bfind.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c
> index ef9498a6e88a..c74d864bc29e 100644
> --- a/fs/hfs/bfind.c
> +++ b/fs/hfs/bfind.c
> @@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
>   
>   	fd->tree = tree;
>   	fd->bnode = NULL;
> -	ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
> +	ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
>   	if (!ptr)
>   		return -ENOMEM;
>   	fd->search_key = ptr;

I ensured syzbot reproducer still triggers KMSAN bug upstream[1].
I ensured that the above patch was tested by syzbot upstream, not 
triggering any issue[2].

I know hfs is orphaned, but if anyone can pick it up or review it for 
additional feedback I'd highly appreciate it, as it addresses bug in 
stable releases.

Thanks for your time,

[1] https://syzkaller.appspot.com/x/log.txt?x=12cd38c0580000
[2] https://syzkaller.appspot.com/x/log.txt?x=136874e8580000

--Gian