Re: [PATCH v2 2/2] hfs/hfsplus: zero-initialize buffer in hfs_bnode_read
From: Viacheslav Dubeyko
Date: Thu May 07 2026 - 18:01:18 EST
On Tue, 2026-05-05 at 11:12 +0000, Tristan Madani wrote:
> From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
>
> hfs_bnode_read() can return early without writing to the output buffer
> when is_bnode_offset_valid() fails or when check_and_correct_requested_
> length() corrects the length to zero. Callers such as hfs_bnode_read_
> u16() and hfs_bnode_read_u8() pass stack-allocated buffers and use the
> result unconditionally, leading to KMSAN uninit-value reports.
>
> Rather than initializing at each individual call site, zero the buffer
> at the start of hfs_bnode_read() before any validation checks. This
> ensures all callers in both hfs and hfsplus get a deterministic zero
> value regardless of which early-return path is taken.
>
> Reported-by: syzbot+217eb327242d08197efb@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
> Tested-by: syzbot+217eb327242d08197efb@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: a431930c9bac ("hfs: fix slab-out-of-bounds in hfs_bnode_read()")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
> ---
> fs/hfs/bnode.c | 2 ++
> fs/hfsplus/bnode.c | 2 ++
> 2 files changed, 4 insertions(+)
>
> diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
> index 9571f33b91085..25cef62fbba6d 100644
> --- a/fs/hfs/bnode.c
> +++ b/fs/hfs/bnode.c
> @@ -64,6 +64,8 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, u32 off, u32 len)
> u32 bytes_read;
> u32 bytes_to_read;
>
> + memset(buf, 0, len);
> +
> if (!is_bnode_offset_valid(node, off))
> return;
>
> diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
> index f8b5a8ae58ff5..14d1af2c7ba93 100644
> --- a/fs/hfsplus/bnode.c
> +++ b/fs/hfsplus/bnode.c
> @@ -25,6 +25,8 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, u32 off, u32 len)
> struct page **pagep;
> u32 l;
>
> + memset(buf, 0, len);
> +
> if (!is_bnode_offset_valid(node, off))
> return;
>
>
Looks good. Thanks a lot for the fix.
Reviewed-by: Viacheslav Dubeyko <slava@xxxxxxxxxxx>
Thanks,
Slava.