[syzbot] [hfs?] KMSAN: uninit-value in hfs_brec_keylen
0 views
Skip to first unread message
syzbot
Apr 18, 2025, 10:57:22 AMApr 18
Hello,
syzbot found the following issue on:
HEAD commit: 8ffd015db85f Linux 6.15-rc2
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=104d20cc580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e30b69a28cc940e1
dashboard link: https://syzkaller.appspot.com/bug?extid=5405d1265a66aa313343
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1790ea3f980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17e17398580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b099795f8c63/disk-8ffd015d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a10b15dc31a5/vmlinux-8ffd015d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/24a20f2e33c6/bzImage-8ffd015d.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/acf63dfb20d0/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
loop0: detected capacity change from 0 to 64
=====================================================
BUG: KMSAN: uninit-value in hfs_brec_keylen+0x423/0x610 fs/hfs/brec.c:46
hfs_brec_keylen+0x423/0x610 fs/hfs/brec.c:46
__hfs_brec_find+0x111/0x830 fs/hfs/bfind.c:69
hfs_brec_find+0x436/0x980 fs/hfs/bfind.c:138
hfs_cat_move+0x116d/0x12e0 fs/hfs/catalog.c:372
hfs_rename+0x344/0x500 fs/hfs/dir.c:299
vfs_rename+0x1d9d/0x2280 fs/namei.c:5086
do_renameat2+0x1577/0x1b80 fs/namei.c:5235
__do_sys_rename fs/namei.c:5282 [inline]
__se_sys_rename fs/namei.c:5280 [inline]
__x64_sys_rename+0xe8/0x140 fs/namei.c:5280
x64_sys_call+0x3a1e/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:83
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Local variable data created at:
hfs_bnode_read_u16+0x3d/0x90 fs/hfs/bnode.c:-1
hfs_brec_keylen+0x23e/0x610 fs/hfs/brec.c:45
CPU: 0 UID: 0 PID: 5794 Comm: syz-executor252 Not tainted 6.15.0-rc2-syzkaller #0 PREEMPT(undef)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 8ffd015db85f Linux 6.15-rc2
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=104d20cc580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e30b69a28cc940e1
dashboard link: https://syzkaller.appspot.com/bug?extid=5405d1265a66aa313343
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1790ea3f980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17e17398580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b099795f8c63/disk-8ffd015d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a10b15dc31a5/vmlinux-8ffd015d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/24a20f2e33c6/bzImage-8ffd015d.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/acf63dfb20d0/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
loop0: detected capacity change from 0 to 64
=====================================================
BUG: KMSAN: uninit-value in hfs_brec_keylen+0x423/0x610 fs/hfs/brec.c:46
hfs_brec_keylen+0x423/0x610 fs/hfs/brec.c:46
__hfs_brec_find+0x111/0x830 fs/hfs/bfind.c:69
hfs_brec_find+0x436/0x980 fs/hfs/bfind.c:138
hfs_cat_move+0x116d/0x12e0 fs/hfs/catalog.c:372
hfs_rename+0x344/0x500 fs/hfs/dir.c:299
vfs_rename+0x1d9d/0x2280 fs/namei.c:5086
do_renameat2+0x1577/0x1b80 fs/namei.c:5235
__do_sys_rename fs/namei.c:5282 [inline]
__se_sys_rename fs/namei.c:5280 [inline]
__x64_sys_rename+0xe8/0x140 fs/namei.c:5280
x64_sys_call+0x3a1e/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:83
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Local variable data created at:
hfs_bnode_read_u16+0x3d/0x90 fs/hfs/bnode.c:-1
hfs_brec_keylen+0x23e/0x610 fs/hfs/brec.c:45
CPU: 0 UID: 0 PID: 5794 Comm: syz-executor252 Not tainted 6.15.0-rc2-syzkaller #0 PREEMPT(undef)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Arnaud Lecomte
Apr 18, 2025, 1:09:53 PMApr 18
#syz test
diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
index 6add6ebfef89..e8d7431ce178 100644
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -15,7 +15,7 @@
#include "btree.h"
-void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
+int hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
{
struct page *page;
int pagenum;
@@ -37,13 +37,16 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
pagenum++;
off = 0; /* page offset only applies to the first page */
}
+
+ return bytes_to_read;
}
u16 hfs_bnode_read_u16(struct hfs_bnode *node, int off)
{
- __be16 data;
+ __be16 data = 0;
// optimize later...
- hfs_bnode_read(node, &data, off, 2);
+ if(hfs_bnode_read(node, &data, off, 2) < sizeof(u16))
+ return 0;
return be16_to_cpu(data);
}
diff --git a/fs/hfs/btree.h b/fs/hfs/btree.h
index 0e6baee93245..54f310c52643 100644
--- a/fs/hfs/btree.h
+++ b/fs/hfs/btree.h
@@ -94,7 +94,7 @@ extern struct hfs_bnode * hfs_bmap_alloc(struct hfs_btree *);
extern void hfs_bmap_free(struct hfs_bnode *node);
/* bnode.c */
-extern void hfs_bnode_read(struct hfs_bnode *, void *, int, int);
+extern int hfs_bnode_read(struct hfs_bnode *, void *, int, int);
extern u16 hfs_bnode_read_u16(struct hfs_bnode *, int);
extern u8 hfs_bnode_read_u8(struct hfs_bnode *, int);
extern void hfs_bnode_read_key(struct hfs_bnode *, void *, int);
--
diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
index 6add6ebfef89..e8d7431ce178 100644
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -15,7 +15,7 @@
#include "btree.h"
-void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
+int hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
{
struct page *page;
int pagenum;
@@ -37,13 +37,16 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
pagenum++;
off = 0; /* page offset only applies to the first page */
}
+
+ return bytes_to_read;
}
u16 hfs_bnode_read_u16(struct hfs_bnode *node, int off)
{
- __be16 data;
+ __be16 data = 0;
// optimize later...
- hfs_bnode_read(node, &data, off, 2);
+ if(hfs_bnode_read(node, &data, off, 2) < sizeof(u16))
+ return 0;
return be16_to_cpu(data);
}
diff --git a/fs/hfs/btree.h b/fs/hfs/btree.h
index 0e6baee93245..54f310c52643 100644
--- a/fs/hfs/btree.h
+++ b/fs/hfs/btree.h
@@ -94,7 +94,7 @@ extern struct hfs_bnode * hfs_bmap_alloc(struct hfs_btree *);
extern void hfs_bmap_free(struct hfs_bnode *node);
/* bnode.c */
-extern void hfs_bnode_read(struct hfs_bnode *, void *, int, int);
+extern int hfs_bnode_read(struct hfs_bnode *, void *, int, int);
extern u16 hfs_bnode_read_u16(struct hfs_bnode *, int);
extern u8 hfs_bnode_read_u8(struct hfs_bnode *, int);
extern void hfs_bnode_read_key(struct hfs_bnode *, void *, int);
--
syzbot
Apr 18, 2025, 1:50:04 PMApr 18
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: [email protected]
Tested-by: [email protected]
Tested on:
commit: fc96b232 Merge tag 'pci-v6.15-fixes-2' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=132614cc580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a27b81e0cf56c60b
dashboard link: https://syzkaller.appspot.com/bug?extid=5405d1265a66aa313343
compiler: Debian clang version 15.0.6, Debian LLD 15.0.6
patch: https://syzkaller.appspot.com/x/patch.diff?x=112aa204580000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: [email protected]
Tested-by: [email protected]
Tested on:
commit: fc96b232 Merge tag 'pci-v6.15-fixes-2' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=132614cc580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a27b81e0cf56c60b
dashboard link: https://syzkaller.appspot.com/bug?extid=5405d1265a66aa313343
compiler: Debian clang version 15.0.6, Debian LLD 15.0.6
patch: https://syzkaller.appspot.com/x/patch.diff?x=112aa204580000
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages