syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1325]
Subsystems
🐞 Fixed [7170]
🐞 Invalid [18939]
Missing Backports [221]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KASAN: out-of-bounds Read in hfsplus_bnode_move

Status: upstream: reported C repro on 2024/01/22 09:48
Subsystems: hfs
[Documentation on labels]
Reported-by: syzbot+6df204b70bf3261691c5@syzkaller.appspotmail.com
Fix commit: 966cb76fb285 hfs/hfsplus: fix u32 overflow in check_and_correct_requested_length
Patched on: [ci-qemu-gce-upstream-auto ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-snapshot-upstream-root ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-linux-next-kasan-gce-root ci2-upstream-fs ci2-upstream-kcsan-gce], missing on: [ci-qemu-native-arm64-kvm ci-qemu2-riscv64 ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci-upstream-rust-kasan-gce ci2-upstream-usb]
First crash: 878d, last: 194d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: wild-memory-access Read in hfsplus_bnode_move (log)
Repro: C syz .config
  
Fix bisection: failed (error log, bisect log)
  
✨ AI Jobs (4)
ID Workflow Result Correct Bug Created Started Finished Revision Error
2c3be2d0-7d54-4247-a722-d1ab883fd0a5 assessment-security 💥 KASAN: out-of-bounds Read in hfsplus_bnode_move 2026/06/10 01:54 2026/06/10 01:54 2026/06/10 01:55 c36c07f6c1f2230a36374cbd22235f635e8f9284 
failed to run ["git" "-c" "core.hooksPath=/dev/null" "fetch" "--force" "--tags" "433dfd5a8a5d80bbf0669b14e9ed908911a52dd6" "0802e17d9aca3724977070ed198f0444aa15d30b"]: exit status 128
fatal: remote er...
truncated to first 200 bytes; open job for full error
02d496f3-43de-4b08-8f3d-d08c03e03c6e assessment-security 💥 KASAN: out-of-bounds Read in hfsplus_bnode_move 2026/06/04 04:23 2026/06/04 04:23 2026/06/04 04:23 62fe15281f5011cd203d8845b8767b10e7443aa5 
failed to run ["git" "-c" "core.hooksPath=/dev/null" "fetch" "--force" "--tags" "433dfd5a8a5d80bbf0669b14e9ed908911a52dd6" "0802e17d9aca3724977070ed198f0444aa15d30b"]: exit status 128
fatal: remote er...
truncated to first 200 bytes; open job for full error
4f261125-ef27-4a78-95a8-eba285fa9392 assessment-security 💥 KASAN: out-of-bounds Read in hfsplus_bnode_move 2026/06/01 21:46 2026/06/01 21:46 2026/06/01 21:46 386cc6dacdf7e3ebce9507beed6755d7e999554d 
failed to run ["git" "-c" "core.hooksPath=/dev/null" "fetch" "--force" "--tags" "433dfd5a8a5d80bbf0669b14e9ed908911a52dd6" "0802e17d9aca3724977070ed198f0444aa15d30b"]: exit status 128
fatal: remote er...
truncated to first 200 bytes; open job for full error
432a7201-5e2a-47af-814e-4d813e67b58f assessment-security 💥 KASAN: out-of-bounds Read in hfsplus_bnode_move 2026/05/18 10:57 2026/05/18 10:57 2026/05/18 10:57 55156e845761fb36809c4b3701a920dddce23332 
failed to run ["git" "-c" "core.hooksPath=/dev/null" "fetch" "--force" "--tags" "433dfd5a8a5d80bbf0669b14e9ed908911a52dd6" "0802e17d9aca3724977070ed198f0444aa15d30b"]: exit status 128
fatal: remote er...
truncated to first 200 bytes; open job for full error
Discussions (5)
Title Replies (including bot) Last reply
[PATCH v2 1/2] hfs/hfsplus: fix u32 overflow in check_and_correct_requested_length 2 (2) 2026/05/07 22:02
[syzbot] [hfs?] KMSAN: uninit-value in hfsplus_bnode_find 1 (9) 2026/05/05 11:12
[syzbot] KASAN: slab-out-of-bounds Read in hfsplus_bnode_read 2 (5) 2026/05/05 11:12
[syzbot] [hfs?] KASAN: out-of-bounds Read in hfsplus_bnode_move 1 (5) 2026/05/05 11:12
[PATCH 1/3] hfs/hfsplus: fix u32 overflow in check_and_correct_requested_length 6 (6) 2026/05/04 23:31
Last patch testing requests (13)
Created Duration User Patch Repo Result
2026/05/05 11:12 37m tristmd@gmail.com patch upstream error
2026/04/30 22:41 32m tristmd@gmail.com patch upstream error
2026/04/24 03:39 24m retest repro upstream OK log
2026/04/20 01:35 48m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci error
2026/02/12 21:22 35m retest repro upstream error
2026/02/08 23:07 30m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci error
2025/12/04 18:26 14m retest repro upstream report log
2025/11/30 19:33 20m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/09/25 00:12 11m retest repro upstream report log
2025/09/21 19:11 21m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/07/27 18:17 22m contact@arnaud-lcm.com patch upstream OK log
2025/07/16 15:31 12m retest repro upstream report log
2025/07/13 12:11 19m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
Fix bisection attempts (11)
Created Duration User Patch Repo Result
2025/05/06 21:57 5m bisect fix upstream error job log
2025/04/05 02:29 2h39m bisect fix upstream OK (0) job log log
2025/03/01 14:41 1h37m bisect fix upstream OK (0) job log log
2025/01/28 06:06 1h58m bisect fix upstream OK (0) job log log
2024/12/21 03:38 3h00m bisect fix upstream OK (0) job log log
2024/11/07 02:13 1h56m bisect fix upstream OK (0) job log log
2024/09/01 02:13 1h36m bisect fix upstream OK (0) job log log
2024/07/13 09:51 2h27m bisect fix upstream OK (0) job log log
2024/06/07 01:47 1h29m bisect fix upstream OK (0) job log log
2024/04/22 12:41 1h46m bisect fix upstream OK (0) job log log
2024/03/21 13:50 1h48m bisect fix upstream OK (0) job log log

Sample crash report:
loop0: detected capacity change from 0 to 1024
==================================================================
BUG: KASAN: out-of-bounds in hfsplus_bnode_move+0x650/0x9c4 fs/hfsplus/bnode.c:228
Read of size 18446744073709551602 at addr ffff00000000104e by task syz-executor285/6097

CPU: 1 PID: 6097 Comm: syz-executor285 Not tainted 6.7.0-rc8-syzkaller-g0802e17d9aca #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0x174/0x514 mm/kasan/report.c:475
 kasan_report+0xd8/0x138 mm/kasan/report.c:588
 kasan_check_range+0x254/0x294 mm/kasan/generic.c:187
 __asan_memmove+0x3c/0x84 mm/kasan/shadow.c:94
 hfsplus_bnode_move+0x650/0x9c4 fs/hfsplus/bnode.c:228
 hfsplus_brec_insert+0x47c/0xaa0 fs/hfsplus/brec.c:128
 hfsplus_create_attr+0x3b0/0x568 fs/hfsplus/attributes.c:252
 __hfsplus_setxattr+0x980/0x1d00 fs/hfsplus/xattr.c:354
 hfsplus_initxattrs+0x150/0x20c fs/hfsplus/xattr_security.c:59
 security_inode_init_security+0x264/0x428 security/security.c:1668
 hfsplus_init_security+0x40/0x54 fs/hfsplus/xattr_security.c:71
 hfsplus_fill_super+0x1010/0x166c fs/hfsplus/super.c:567
 mount_bdev+0x1e8/0x2b4 fs/super.c:1650
 hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:641
 legacy_get_tree+0xd4/0x16c fs/fs_context.c:662
 vfs_get_tree+0x90/0x288 fs/super.c:1771
 do_new_mount+0x25c/0x8c8 fs/namespace.c:3337
 path_mount+0x590/0xe04 fs/namespace.c:3664
 do_mount fs/namespace.c:3677 [inline]
 __do_sys_mount fs/namespace.c:3886 [inline]
 __se_sys_mount fs/namespace.c:3863 [inline]
 __arm64_sys_mount+0x45c/0x594 fs/namespace.c:3863
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
 el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595

The buggy address belongs to the physical page:
page:000000005b08f408 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x40001
flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 01ffc00000000000 fffffc0000000048 fffffc0000000048 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff000000000f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff000000000f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff000000001000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                              ^
 ffff000000001080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff000000001100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/01/21 06:56 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 0802e17d9aca 9bd8dcda .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: out-of-bounds Read in hfsplus_bnode_move
2024/01/21 05:19 upstream 125514880ddd 9bd8dcda .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: out-of-bounds Read in hfsplus_bnode_move
2024/01/21 05:05 upstream 125514880ddd 9bd8dcda .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: out-of-bounds Read in hfsplus_bnode_move
* Struck through repros no longer work on HEAD.