Syzbot reported a uninit-value in hfsplus_cat_bin_cmp_key. The result of reading from the raw data of the node in hfs_bnode_read_u16() is 0, and the final calculated catalog key length is 2, which will eventually lead to too little key data read from the node to initialize the parent member of struct hfsplus_cat_key. The solution is to increase the key length judgment, and terminate the subsequent operations if it is too small. #syz test Reported-by: syzbot+968ecf5dc01b3e0148ec@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://syzkaller.appspot.com/bug?extid=968ecf5dc01b3e0148ec Signed-off-by: Edward Adam Davis <eadavis@xxxxxx> --- fs/hfsplus/brec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c index 1918544a7871..da38638ad808 100644 --- a/fs/hfsplus/brec.c +++ b/fs/hfsplus/brec.c @@ -51,6 +51,13 @@ u16 hfs_brec_keylen(struct hfs_bnode *node, u16 rec) } retval = hfs_bnode_read_u16(node, recoff) + 2; + if (node->tree->cnid == HFSPLUS_CAT_CNID && + retval < offsetof(struct hfsplus_cat_key, parent) + + sizeof(hfsplus_cnid)) { + pr_err("keylen %d too small\n", + retval); + return 0; + } if (retval > node->tree->max_key_len + 2) { pr_err("keylen %d too large\n", retval); -- 2.43.0
