KASAN: slab-out-of-bounds Read in hfsplus_bnode_read in v6.14-rc4 kernel

[Strforexc yn]

Dear Maintainers, When using our customized Syzkaller to fuzz the
latest Linux kernel, the following crash was triggered.

Kernel commit: v6.14-rc4 (Commits on Feb 24, 2025)
Kernel Config : https://github.com/Strforexc/LinuxKernelbug/blob/main/.config
Kernel Log: attachment
Reproduce: attachment

KASAN detects a slab-out-of-bounds read of size 8 at address
ffff888044c23ac0 in hfsplus_bnode_read (fs/hfsplus/bnode.c:32) during
a rename operation. Preceding logs report: hfsplus: request for
non-existent node 65030 in B*Tree.

Location: The fault occurs in hfsplus_bnode_read at
memcpy_from_page(buf, *pagep, off, l), where *pagep accesses memory
beyond the node->page array.
Cause: Likely due to:
1. Invalid Offset: off + node->page_offset exceeds the allocated
node->page size, possibly from a corrupted struct hfs_bnode (node
65030 is non-existent).
2. Undersized Allocation: node->page (152 bytes) may not accommodate
the required page pointers for the requested offset.

Context: Syzkaller’s renameat2 on an HFS+ filesystem likely introduced
malformed metadata, corrupting the B-tree and triggering the invalid
node access.


Our knowledge of the kernel is somewhat limited, and we'd appreciate
it if you could determine if there is such an issue. If this issue
doesn't have an impact, please ignore it ☺.

If you fix this issue, please add the following tag to the commit:
Reported-by: Zhizhuo Tang <strforexctzzchange@xxxxxxxxxxx>, Jianzhou
Zhao <xnxc22xnxc22@xxxxxx>, Haoran Liu <cherest_san@xxxxxxx>


hfsplus: request for non-existent node 65030 in B*Tree
hfsplus: request for non-existent node 65030 in B*Tree
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x23e/0x260
fs/hfsplus/bnode.c:32
Read of size 8 at addr ffff888044c23ac0 by task syz.1.178/13668

CPU: 1 UID: 0 PID: 13668 Comm: syz.1.178 Not tainted 6.14.0-rc4 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
 print_address_description.constprop.0+0x2c/0x420 mm/kasan/report.c:408
 print_report+0xaa/0x270 mm/kasan/report.c:521
 kasan_report+0xbd/0x100 mm/kasan/report.c:634
 hfsplus_bnode_read+0x23e/0x260 fs/hfsplus/bnode.c:32
 hfsplus_bnode_read_u16 fs/hfsplus/bnode.c:45 [inline]
 hfsplus_bnode_dump+0x2c6/0x3b0 fs/hfsplus/bnode.c:321
 hfsplus_brec_remove+0x3e7/0x4f0 fs/hfsplus/brec.c:229
 __hfsplus_delete_attr+0x296/0x3b0 fs/hfsplus/attributes.c:299
 hfsplus_delete_all_attrs+0x26d/0x330 fs/hfsplus/attributes.c:378
 hfsplus_delete_cat+0x87b/0xe70 fs/hfsplus/catalog.c:425
 hfsplus_unlink+0x1cd/0x7c0 fs/hfsplus/dir.c:385
 hfsplus_rename+0xc2/0x220 fs/hfsplus/dir.c:547
 vfs_rename+0x118f/0x1ab0 fs/namei.c:5069
 do_renameat2+0xb28/0xd60 fs/namei.c:5226
 __do_sys_renameat2 fs/namei.c:5260 [inline]
 __se_sys_renameat2 fs/namei.c:5257 [inline]
 __x64_sys_renameat2+0xe7/0x140 fs/namei.c:5257
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcb/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f130c5b85ad
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f130d48af98 EFLAGS: 00000246 ORIG_RAX: 000000000000013c
RAX: ffffffffffffffda RBX: 00007f130c845fa0 RCX: 00007f130c5b85ad
RDX: 0000000000000004 RSI: 00004000000000c0 RDI: 0000000000000005
RBP: 00007f130c66a8d6 R08: 0000000000000000 R09: 0000000000000000
R10: 0000400000000180 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f130c845fa0 R15: 00007f130d46b000
 </TASK>

Allocated by task 13668:
 kasan_save_stack+0x24/0x50 mm/kasan/common.c:47
 kasan_save_track+0x14/0x40 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xba/0xc0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4294 [inline]
 __kmalloc_noprof+0x212/0x580 mm/slub.c:4306
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 __hfs_bnode_create+0x107/0x850 fs/hfsplus/bnode.c:409
 hfsplus_bnode_find+0x424/0xc70 fs/hfsplus/bnode.c:486
 hfsplus_brec_find+0x2b3/0x540 fs/hfsplus/bfind.c:172
 hfsplus_find_attr+0xf7/0x180 fs/hfsplus/attributes.c:153
 __hfsplus_getxattr+0x2cf/0x5f0 fs/hfsplus/xattr.c:520
 hfsplus_getxattr+0xc9/0x140 fs/hfsplus/xattr.c:588
 hfsplus_security_getxattr+0x3a/0x60 fs/hfsplus/xattr_security.c:20
 __vfs_getxattr+0x13f/0x1b0 fs/xattr.c:423
 smk_fetch+0xe6/0x180 security/smack/smack_lsm.c:290
 smack_d_instantiate+0x434/0xbb0 security/smack/smack_lsm.c:3599
 security_d_instantiate+0x142/0x1a0 security/security.c:4079
 d_splice_alias+0x91/0x860 fs/dcache.c:3017
 hfsplus_lookup+0x652/0x890 fs/hfsplus/dir.c:124
 lookup_one_qstr_excl+0x12b/0x190 fs/namei.c:1693
 do_renameat2+0x671/0xd60 fs/namei.c:5167
 __do_sys_renameat2 fs/namei.c:5260 [inline]
 __se_sys_renameat2 fs/namei.c:5257 [inline]
 __x64_sys_renameat2+0xe7/0x140 fs/namei.c:5257
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcb/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888044c23a00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 40 bytes to the right of
 allocated 152-byte region [ffff888044c23a00, ffff888044c23a98)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x44c23
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000000 ffff88801b4413c0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask
0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid
1 (swapper/0), ts 13955582992, free_ts 13944852717
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1a3/0x1d0 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0x8a5/0xfa0 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1d8/0x3b0 mm/page_alloc.c:4739
 alloc_pages_mpol+0x1f2/0x550 mm/mempolicy.c:2270
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab+0x229/0x310 mm/slub.c:2587
 ___slab_alloc+0x7f3/0x12b0 mm/slub.c:3826
 __slab_alloc.constprop.0+0x56/0xc0 mm/slub.c:3916
 __slab_alloc_node mm/slub.c:3991 [inline]
 slab_alloc_node mm/slub.c:4152 [inline]
 __kmalloc_cache_noprof+0x280/0x450 mm/slub.c:4320
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 call_usermodehelper_setup+0x9c/0x350 kernel/umh.c:362
 kobject_uevent_env+0x76c/0xa70 lib/kobject_uevent.c:628
 device_add+0xbf3/0x1490 drivers/base/core.c:3646
 usb_set_configuration+0x11a5/0x1c50 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xbf/0x120 drivers/usb/core/generic.c:250
 usb_probe_device+0xed/0x3e0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x252/0xaa0 drivers/base/dd.c:658
 __driver_probe_device+0x1df/0x460 drivers/base/dd.c:800
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x71f/0xff0 mm/page_alloc.c:2660
 __put_partials+0x13b/0x190 mm/slub.c:3153
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x50/0x130 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x1a5/0x1f0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x6f/0xa0 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4115 [inline]
 slab_alloc_node mm/slub.c:4164 [inline]
 __kmalloc_cache_noprof+0x15a/0x450 mm/slub.c:4320
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 kobject_uevent_env+0x23b/0xa70 lib/kobject_uevent.c:540
 device_add+0xbf3/0x1490 drivers/base/core.c:3646
 device_create_groups_vargs+0x215/0x290 drivers/base/core.c:4347
 device_create+0xe0/0x130 drivers/base/core.c:4386
 mon_bin_add+0xbb/0x190 drivers/usb/mon/mon_bin.c:1370
 mon_bus_init+0x18e/0x320 drivers/usb/mon/mon_main.c:291
 mon_bus_add drivers/usb/mon/mon_main.c:188 [inline]
 mon_notify+0x324/0x480 drivers/usb/mon/mon_main.c:219
 notifier_call_chain+0xd7/0x250 kernel/notifier.c:85
 blocking_notifier_call_chain+0x6b/0xb0 kernel/notifier.c:380
 usb_register_bus drivers/usb/core/hcd.c:908 [inline]
 usb_add_hcd+0x4a8/0x1770 drivers/usb/core/hcd.c:2865

Memory state around the buggy address:
 ffff888044c23980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 ffff888044c23a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888044c23a80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
                                           ^
 ffff888044c23b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888044c23b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
Thanks,
Zhizhuo Tang

Attachment: repro.cprog
Description: Binary data

Attachment: repro.log
Description: Binary data

Attachment: repro.prog
Description: Binary data

Attachment: mount_0.gz
Description: GNU Zip compressed data