linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: kernel test robot <lkp@intel.com>
To: "k.chen" <k.chen@smail.nju.edu.cn>
Cc: llvm@lists.linux.dev, oe-kbuild-all@lists.linux.dev,
	slava@dubeyko.com, frank.li@vivo.com,
	linux-fsdevel@vger.kernel.org, glaubitz@physik.fu-berlin.de,
	wenzhi.wang@uwaterloo.ca, liushixin2@huawei.com,
	"k.chen" <k.chen@smail.nju.edu.cn>
Subject: Re: [PATCH] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
Date: Sun, 7 Sep 2025 05:37:51 +0800	[thread overview]
Message-ID: <202509070516.2i61Okso-lkp@intel.com> (raw)
In-Reply-To: <20250906100923.444243-1-k.chen@smail.nju.edu.cn>

Hi k.chen,

kernel test robot noticed the following build errors:

[auto build test ERROR on linus/master]
[also build test ERROR on v6.17-rc4 next-20250905]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/k-chen/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc/20250906-181212
base:   linus/master
patch link:    https://lore.kernel.org/r/20250906100923.444243-1-k.chen%40smail.nju.edu.cn
patch subject: [PATCH] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
config: arm-randconfig-002-20250907 (https://download.01.org/0day-ci/archive/20250907/202509070516.2i61Okso-lkp@intel.com/config)
compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 7fb1dc08d2f025aad5777bb779dfac1197e9ef87)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250907/202509070516.2i61Okso-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202509070516.2i61Okso-lkp@intel.com/

All errors (new ones prefixed by >>):

>> fs/hfsplus/xattr.c:739:9: error: incompatible pointer types passing 'const struct hfsplus_attr_unistr *' to parameter of type 'const struct hfsplus_unistr *' [-Werror,-Wincompatible-pointer-types]
     739 |                                     (const struct hfsplus_attr_unistr *)&fd.key
         |                                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     740 |                                             ->attr.key_name,
         |                                             ~~~~~~~~~~~~~~~
   fs/hfsplus/hfsplus_fs.h:524:74: note: passing argument to parameter 'ustr' here
     524 | int hfsplus_uni2asc(struct super_block *sb, const struct hfsplus_unistr *ustr,
         |                                                                          ^
   1 error generated.


vim +739 fs/hfsplus/xattr.c

   675	
   676	ssize_t hfsplus_listxattr(struct dentry *dentry, char *buffer, size_t size)
   677	{
   678		ssize_t err;
   679		ssize_t res;
   680		struct inode *inode = d_inode(dentry);
   681		struct hfs_find_data fd;
   682		struct hfsplus_attr_key attr_key;
   683		char *strbuf;
   684		int xattr_name_len;
   685	
   686		if ((!S_ISREG(inode->i_mode) &&
   687				!S_ISDIR(inode->i_mode)) ||
   688					HFSPLUS_IS_RSRC(inode))
   689			return -EOPNOTSUPP;
   690	
   691		res = hfsplus_listxattr_finder_info(dentry, buffer, size);
   692		if (res < 0)
   693			return res;
   694		else if (!HFSPLUS_SB(inode->i_sb)->attr_tree)
   695			return (res == 0) ? -EOPNOTSUPP : res;
   696	
   697		err = hfs_find_init(HFSPLUS_SB(inode->i_sb)->attr_tree, &fd);
   698		if (err) {
   699			pr_err("can't init xattr find struct\n");
   700			return err;
   701		}
   702	
   703		strbuf = kzalloc(NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN +
   704				XATTR_MAC_OSX_PREFIX_LEN + 1, GFP_KERNEL);
   705		if (!strbuf) {
   706			res = -ENOMEM;
   707			goto out;
   708		}
   709	
   710		err = hfsplus_find_attr(inode->i_sb, inode->i_ino, NULL, &fd);
   711		if (err) {
   712			if (err == -ENOENT) {
   713				if (res == 0)
   714					res = -ENODATA;
   715				goto end_listxattr;
   716			} else {
   717				res = err;
   718				goto end_listxattr;
   719			}
   720		}
   721	
   722		for (;;) {
   723			u16 key_len = hfs_bnode_read_u16(fd.bnode, fd.keyoffset);
   724	
   725			if (key_len == 0 || key_len > fd.tree->max_key_len) {
   726				pr_err("invalid xattr key length: %d\n", key_len);
   727				res = -EIO;
   728				goto end_listxattr;
   729			}
   730	
   731			hfs_bnode_read(fd.bnode, &attr_key,
   732					fd.keyoffset, key_len + sizeof(key_len));
   733	
   734			if (be32_to_cpu(attr_key.cnid) != inode->i_ino)
   735				goto end_listxattr;
   736	
   737			xattr_name_len = NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN;
   738			if (hfsplus_uni2asc(inode->i_sb,
 > 739					    (const struct hfsplus_attr_unistr *)&fd.key
   740						    ->attr.key_name,
   741					    HFSPLUS_ATTR_MAX_STRLEN, strbuf,
   742					    &xattr_name_len)) {
   743				pr_err("unicode conversion failed\n");
   744				res = -EIO;
   745				goto end_listxattr;
   746			}
   747	
   748			if (!buffer || !size) {
   749				if (can_list(strbuf))
   750					res += name_len(strbuf, xattr_name_len);
   751			} else if (can_list(strbuf)) {
   752				if (size < (res + name_len(strbuf, xattr_name_len))) {
   753					res = -ERANGE;
   754					goto end_listxattr;
   755				} else
   756					res += copy_name(buffer + res,
   757							strbuf, xattr_name_len);
   758			}
   759	
   760			if (hfs_brec_goto(&fd, 1))
   761				goto end_listxattr;
   762		}
   763	
   764	end_listxattr:
   765		kfree(strbuf);
   766	out:
   767		hfs_find_exit(&fd);
   768		return res;
   769	}
   770	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

  parent reply	other threads:[~2025-09-06 21:38 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-06 10:09 [PATCH] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() k.chen
2025-09-06 11:32 ` Greg KH
2025-09-06 21:37 ` kernel test robot [this message]
  -- strict thread matches above, loose matches on Subject: below --
2025-07-03 18:41 Viacheslav Dubeyko
2025-07-09  5:10 ` Yangtao Li
2025-07-09 18:19   ` Viacheslav Dubeyko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202509070516.2i61Okso-lkp@intel.com \
    --to=lkp@intel.com \
    --cc=frank.li@vivo.com \
    --cc=glaubitz@physik.fu-berlin.de \
    --cc=k.chen@smail.nju.edu.cn \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=liushixin2@huawei.com \
    --cc=llvm@lists.linux.dev \
    --cc=oe-kbuild-all@lists.linux.dev \
    --cc=slava@dubeyko.com \
    --cc=wenzhi.wang@uwaterloo.ca \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).