[syzbot] [hfs?] KASAN: out-of-bounds Read in hfsplus_bnode_move
20 views
Skip to first unread message
syzbot
Jan 22, 2024, 4:48:31 AM1/22/24
to linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 125514880ddd Merge tag 'sh-for-v6.8-tag1' of git://git.ker..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15edd643e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a6ff9d9d5d2dc4a
dashboard link: https://syzkaller.appspot.com/bug?extid=6df204b70bf3261691c5
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=169c2d57e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11109193e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/86a8a3ee9ef1/disk-12551488.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b73f0ed65615/vmlinux-12551488.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7aa088345217/bzImage-12551488.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/3a894fc3d764/mount_0.gz
Bisection is inconclusive: the issue happens on the oldest tested release.
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12fdd643e80000
final oops: https://syzkaller.appspot.com/x/report.txt?x=11fdd643e80000
console output: https://syzkaller.appspot.com/x/log.txt?x=16fdd643e80000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6df204...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 1024
==================================================================
BUG: KASAN: out-of-bounds in hfsplus_bnode_move+0x5f3/0x910 fs/hfsplus/bnode.c:228
Read of size 18446744073709551602 at addr 000508800000104e by task syz-executor353/5048
CPU: 0 PID: 5048 Comm: syz-executor353 Not tainted 6.7.0-syzkaller-12829-g125514880ddd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_report+0xe6/0x540 mm/kasan/report.c:491
kasan_report+0x142/0x170 mm/kasan/report.c:601
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
__asan_memmove+0x29/0x70 mm/kasan/shadow.c:94
hfsplus_bnode_move+0x5f3/0x910 fs/hfsplus/bnode.c:228
hfsplus_brec_insert+0x61c/0xdd0 fs/hfsplus/brec.c:128
hfsplus_create_attr+0x49e/0x630 fs/hfsplus/attributes.c:252
__hfsplus_setxattr+0x6fe/0x22d0 fs/hfsplus/xattr.c:354
hfsplus_initxattrs+0x158/0x220 fs/hfsplus/xattr_security.c:59
security_inode_init_security+0x2a7/0x470 security/security.c:1752
hfsplus_fill_super+0x14d3/0x1c90 fs/hfsplus/super.c:567
mount_bdev+0x206/0x2d0 fs/super.c:1663
legacy_get_tree+0xef/0x190 fs/fs_context.c:662
vfs_get_tree+0x8c/0x2a0 fs/super.c:1784
do_new_mount+0x2be/0xb40 fs/namespace.c:3352
do_mount fs/namespace.c:3692 [inline]
__do_sys_mount fs/namespace.c:3898 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3875
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fd7936b4d3a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff572a70a8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fff572a70c0 RCX: 00007fd7936b4d3a
RDX: 0000000020000040 RSI: 0000000020000240 RDI: 00007fff572a70c0
RBP: 0000000000000004 R08: 00007fff572a7100 R09: 00000000000006c8
R10: 0000000000800000 R11: 0000000000000286 R12: 0000000000800000
R13: 00007fff572a7100 R14: 0000000000000003 R15: 0000000000080000
</TASK>
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 125514880ddd Merge tag 'sh-for-v6.8-tag1' of git://git.ker..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15edd643e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a6ff9d9d5d2dc4a
dashboard link: https://syzkaller.appspot.com/bug?extid=6df204b70bf3261691c5
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=169c2d57e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11109193e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/86a8a3ee9ef1/disk-12551488.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b73f0ed65615/vmlinux-12551488.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7aa088345217/bzImage-12551488.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/3a894fc3d764/mount_0.gz
Bisection is inconclusive: the issue happens on the oldest tested release.
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12fdd643e80000
final oops: https://syzkaller.appspot.com/x/report.txt?x=11fdd643e80000
console output: https://syzkaller.appspot.com/x/log.txt?x=16fdd643e80000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6df204...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 1024
==================================================================
BUG: KASAN: out-of-bounds in hfsplus_bnode_move+0x5f3/0x910 fs/hfsplus/bnode.c:228
Read of size 18446744073709551602 at addr 000508800000104e by task syz-executor353/5048
CPU: 0 PID: 5048 Comm: syz-executor353 Not tainted 6.7.0-syzkaller-12829-g125514880ddd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_report+0xe6/0x540 mm/kasan/report.c:491
kasan_report+0x142/0x170 mm/kasan/report.c:601
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
__asan_memmove+0x29/0x70 mm/kasan/shadow.c:94
hfsplus_bnode_move+0x5f3/0x910 fs/hfsplus/bnode.c:228
hfsplus_brec_insert+0x61c/0xdd0 fs/hfsplus/brec.c:128
hfsplus_create_attr+0x49e/0x630 fs/hfsplus/attributes.c:252
__hfsplus_setxattr+0x6fe/0x22d0 fs/hfsplus/xattr.c:354
hfsplus_initxattrs+0x158/0x220 fs/hfsplus/xattr_security.c:59
security_inode_init_security+0x2a7/0x470 security/security.c:1752
hfsplus_fill_super+0x14d3/0x1c90 fs/hfsplus/super.c:567
mount_bdev+0x206/0x2d0 fs/super.c:1663
legacy_get_tree+0xef/0x190 fs/fs_context.c:662
vfs_get_tree+0x8c/0x2a0 fs/super.c:1784
do_new_mount+0x2be/0xb40 fs/namespace.c:3352
do_mount fs/namespace.c:3692 [inline]
__do_sys_mount fs/namespace.c:3898 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3875
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fd7936b4d3a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff572a70a8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fff572a70c0 RCX: 00007fd7936b4d3a
RDX: 0000000020000040 RSI: 0000000020000240 RDI: 00007fff572a70c0
RBP: 0000000000000004 R08: 00007fff572a7100 R09: 00000000000006c8
R10: 0000000000800000 R11: 0000000000000286 R12: 0000000000800000
R13: 00007fff572a7100 R14: 0000000000000003 R15: 0000000000080000
</TASK>
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Arnaud Lecomte
Jul 27, 2025, 2:17:16 PM7/27/25
to syzbot+6df204...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
--- a/fs/hfsplus/brec.c
+++ b/fs/hfsplus/brec.c
@@ -124,6 +124,12 @@ int hfs_brec_insert(struct hfs_find_data *fd, void *entry, int entry_len)
data_rec_off += 2;
} while (data_rec_off < idx_rec_off);
+ if (end_off < data_off) {
+ hfs_dbg(BNODE_MOD, "corrupted node: end_off %u < data_off %u\n", end_off, data_off);
+ if (new_node)
+ hfs_bnode_put(new_node);
+ return -EIO;
+ }
/* move data away */
hfs_bnode_move(node, data_off + size, data_off,
end_off - data_off);
--
2.43.0
--- a/fs/hfsplus/brec.c
+++ b/fs/hfsplus/brec.c
@@ -124,6 +124,12 @@ int hfs_brec_insert(struct hfs_find_data *fd, void *entry, int entry_len)
data_rec_off += 2;
} while (data_rec_off < idx_rec_off);
+ if (end_off < data_off) {
+ hfs_dbg(BNODE_MOD, "corrupted node: end_off %u < data_off %u\n", end_off, data_off);
+ if (new_node)
+ hfs_bnode_put(new_node);
+ return -EIO;
+ }
/* move data away */
hfs_bnode_move(node, data_off + size, data_off,
end_off - data_off);
--
2.43.0
syzbot
Jul 27, 2025, 2:52:04 PM7/27/25
to con...@arnaud-lcm.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+6df204...@syzkaller.appspotmail.com
Tested-by: syzbot+6df204...@syzkaller.appspotmail.com
Tested on:
commit: b711733e Merge tag 'timers-urgent-2025-07-27' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=165a98a2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=77f37fce3464f63d
dashboard link: https://syzkaller.appspot.com/bug?extid=6df204b70bf3261691c5
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=119298a2580000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+6df204...@syzkaller.appspotmail.com
Tested-by: syzbot+6df204...@syzkaller.appspotmail.com
Tested on:
commit: b711733e Merge tag 'timers-urgent-2025-07-27' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=165a98a2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=77f37fce3464f63d
dashboard link: https://syzkaller.appspot.com/bug?extid=6df204b70bf3261691c5
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=119298a2580000
Note: testing is done by a robot and is best-effort only.
syzbot
Apr 30, 2026, 6:41:49 PM (2 days ago) Apr 30
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [hfs?] KASAN: out-of-bounds Read in hfs_bnode_move
Author: tri...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>From 481707e6b354ae2f36603d68c63364b56d6ee6b6 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tri...@talencesecurity.com>
Date: Thu, 30 Apr 2026 22:38:32 +0000
Subject: [PATCH 1/3] hfs/hfsplus: fix u32 overflow in
check_and_correct_requested_length
check_and_correct_requested_length() compares (off + len) against
node_size using u32 arithmetic. When the caller passes a large len
value (e.g. from an underflowed subtraction in hfs_brec_remove()),
off + len can wrap past 2^32 and produce a small result, causing the
bounds check to pass when it should fail.
For example, with off=14 and len=0xFFFFFFF2 (underflowed from
data_off - keyoffset - size in hfs_brec_remove), off + len wraps to 6,
which is less than a typical node_size of 512, so the check passes and
the subsequent memmove reads ~4GB past the node buffer.
Fix this by comparing len against (node_size - off) instead. Since
is_bnode_offset_valid() already guarantees off < node_size before this
point, the subtraction cannot underflow.
Reported-by: syzbot+6df204...@syzkaller.appspotmail.com
Reported-by: syzbot+e76bf3...@syzkaller.appspotmail.com
Fixes: a431930c9bac ("hfs: fix slab-out-of-bounds in hfs_bnode_read()")
Cc: sta...@vger.kernel.org
Signed-off-by: Tristan Madani <tri...@talencesecurity.com>
---
fs/hfs/bnode.c | 2 +-
fs/hfsplus/hfsplus_fs.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
index 13d58c51fc46b..c00645a4a5733 100644
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -41,7 +41,7 @@ u32 check_and_correct_requested_length(struct hfs_bnode *node, u32 off, u32 len)
node_size = node->tree->node_size;
- if ((off + len) > node_size) {
+ if (len > node_size - off) {
u32 new_len = node_size - off;
pr_err("requested length has been corrected: "
diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
index 3545b8dbf11c5..10b2dda3f8044 100644
--- a/fs/hfsplus/hfsplus_fs.h
+++ b/fs/hfsplus/hfsplus_fs.h
@@ -600,7 +600,7 @@ u32 check_and_correct_requested_length(struct hfs_bnode *node, u32 off, u32 len)
node_size = node->tree->node_size;
- if ((off + len) > node_size) {
+ if (len > node_size - off) {
u32 new_len = node_size - off;
pr_err("requested length has been corrected: "
--
2.47.3
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [hfs?] KASAN: out-of-bounds Read in hfs_bnode_move
Author: tri...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>From 481707e6b354ae2f36603d68c63364b56d6ee6b6 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tri...@talencesecurity.com>
Date: Thu, 30 Apr 2026 22:38:32 +0000
Subject: [PATCH 1/3] hfs/hfsplus: fix u32 overflow in
check_and_correct_requested_length
check_and_correct_requested_length() compares (off + len) against
node_size using u32 arithmetic. When the caller passes a large len
value (e.g. from an underflowed subtraction in hfs_brec_remove()),
off + len can wrap past 2^32 and produce a small result, causing the
bounds check to pass when it should fail.
For example, with off=14 and len=0xFFFFFFF2 (underflowed from
data_off - keyoffset - size in hfs_brec_remove), off + len wraps to 6,
which is less than a typical node_size of 512, so the check passes and
the subsequent memmove reads ~4GB past the node buffer.
Fix this by comparing len against (node_size - off) instead. Since
is_bnode_offset_valid() already guarantees off < node_size before this
point, the subtraction cannot underflow.
Reported-by: syzbot+6df204...@syzkaller.appspotmail.com
Reported-by: syzbot+e76bf3...@syzkaller.appspotmail.com
Fixes: a431930c9bac ("hfs: fix slab-out-of-bounds in hfs_bnode_read()")
Cc: sta...@vger.kernel.org
Signed-off-by: Tristan Madani <tri...@talencesecurity.com>
---
fs/hfs/bnode.c | 2 +-
fs/hfsplus/hfsplus_fs.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
index 13d58c51fc46b..c00645a4a5733 100644
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -41,7 +41,7 @@ u32 check_and_correct_requested_length(struct hfs_bnode *node, u32 off, u32 len)
node_size = node->tree->node_size;
- if ((off + len) > node_size) {
+ if (len > node_size - off) {
u32 new_len = node_size - off;
pr_err("requested length has been corrected: "
diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
index 3545b8dbf11c5..10b2dda3f8044 100644
--- a/fs/hfsplus/hfsplus_fs.h
+++ b/fs/hfsplus/hfsplus_fs.h
@@ -600,7 +600,7 @@ u32 check_and_correct_requested_length(struct hfs_bnode *node, u32 off, u32 len)
node_size = node->tree->node_size;
- if ((off + len) > node_size) {
+ if (len > node_size - off) {
u32 new_len = node_size - off;
pr_err("requested length has been corrected: "
--
2.47.3
Reply all
Reply to author
Forward
0 new messages