On 23/10/24 00:57, Gianfranco Trad wrote:
Syzbot reports KMSAN uninit-value use in hfs_free_fork [1].
Use kzalloc() instead of kmalloc() to zero-init fd->search_key
in hfs_find_init() in order to mitigate such KMSAN bug.
[1] https://syzkaller.appspot.com/bug?extid=2e6fb1f89ce5e13cd02d
Reported-by: syzbot+2e6fb1f89ce5e13cd02d@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=2e6fb1f89ce5e13cd02d
Tested-by: syzbot+2e6fb1f89ce5e13cd02d@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Gianfranco Trad <gianf.trad@xxxxxxxxx>
---
Notes: since there's no maintainer for hfs I included Andrew as stated
in the Documentation. I also considered to include the top 2 commiters
to hfs subsytem given by scripts/get_maintainers.pl. Hope it's not a
problem, if so apologies.
fs/hfs/bfind.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c
index ef9498a6e88a..c74d864bc29e 100644
--- a/fs/hfs/bfind.c
+++ b/fs/hfs/bfind.c
@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
fd->tree = tree;
fd->bnode = NULL;
- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
if (!ptr)
return -ENOMEM;
fd->search_key = ptr;
I ensured syzbot reproducer still triggers KMSAN bug upstream[1].
I ensured that the above patch was tested by syzbot upstream, not
triggering any issue[2].
I know hfs is orphaned, but if anyone can pick it up or review it for
additional feedback I'd highly appreciate it, as it addresses bug in
stable releases.
Thanks for your time,
[1] https://syzkaller.appspot.com/x/log.txt?x=12cd38c0580000
[2] https://syzkaller.appspot.com/x/log.txt?x=136874e8580000
--Gian
