[PATCH] hfsplus: fix uninit-value in hfsplus_rename_cat

Next message: Tristan Madani: "[PATCH] udf: propagate error from udf_fiiter_add_entry"
Previous message: Tristan Madani: "[PATCH] jfs: fix uninit-value read in BT_STACK_DUMP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Sat Apr 18 2026 - 09:11:29 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

hfsplus_rename_cat() uses subfolder counts from the on-disk record
without zero-initializing the destination buffer when the else branch
is taken. This leads to KMSAN-detected use of uninitialized memory.

Zero-initialize the relevant fields in the else branch to prevent
reading uninitialized data.

Reported-by: syzbot+93f4402297a457fc6895@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
fs/hfsplus/inode.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c
index d05891ec492e3..356847ab3abf2 100644
--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@ -592,6 +592,8 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd)
if (folder->flags & cpu_to_be16(HFSPLUS_HAS_FOLDER_COUNT)) {
HFSPLUS_I(inode)->subfolders =
be32_to_cpu(folder->subfolders);
+ } else {
+ HFSPLUS_I(inode)->subfolders = 0;
}
inode->i_op = &hfsplus_dir_inode_operations;
inode->i_fop = &hfsplus_dir_operations;
--
2.47.3