CVE-2026-46169

Summary

In the Linux kernel, the following vulnerability has been resolved:

hfsplus: fix uninit-value by validating catalog record size

Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.

When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:

HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26 HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!

hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.

This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().

Fix by introducing hfsplus_brec_read_cat() wrapper that:

  1. Calls hfs_brec_read() to read the data
  2. Validates the record size based on the type field:
    • Fixed size for folder and file records
    • Variable size for thread records (depends on string length)
  3. Returns -EIO if size doesn't match expected

For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.

Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 3003dbf62d151d47a6b90f71655292a51a05f244affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 8be69532e399eec9d9d990f6958b4ff2383b19b3affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 3bc337697c66db2e2a4a94f0509c282c1a014b86affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 61a790974ff7e533acbceca06c7d02f22bf96d4daffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < c91bbd6193c70a02c50c22e0fb1f60c3c5bd053aaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < a420904450962a562ad053a41a53a27755021b48affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 93e8d613f1a01b6637f387cc93f184cf7fb881d6affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < b6b592275aeff184aa82fcf6abccd833fb71b393affected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux5.10.259 <= 5.10.*unaffected
LinuxLinux5.15.210 <= 5.15.*unaffected
LinuxLinux6.1.176 <= 6.1.*unaffected
LinuxLinux6.6.140 <= 6.6.*unaffected
LinuxLinux6.12.88 <= 6.12.*unaffected
LinuxLinux6.18.30 <= 6.18.*unaffected
LinuxLinux7.0.7 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References