syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1361]
Subsystems
🐞 Fixed [7069]
🐞 Invalid [18597]
Missing Backports [221]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KASAN: out-of-bounds Read in hfsplus_bnode_move

Status: upstream: reported C repro on 2024/01/22 09:48
Subsystems: hfs
[Documentation on labels]
Reported-by: syzbot+6df204b70bf3261691c5@syzkaller.appspotmail.com
First crash: 827d, last: 144d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: wild-memory-access Read in hfsplus_bnode_move (log)
Repro: C syz .config
  
Fix bisection: failed (error log, bisect log)
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [hfs?] KASAN: out-of-bounds Read in hfsplus_bnode_move 1 (3) 2025/07/27 18:52
Last patch testing requests (11)
Created Duration User Patch Repo Result
2026/04/24 03:39 24m retest repro upstream OK log
2026/04/20 01:35 48m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci error
2026/02/12 21:22 35m retest repro upstream error
2026/02/08 23:07 30m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci error
2025/12/04 18:26 14m retest repro upstream report log
2025/11/30 19:33 20m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/09/25 00:12 11m retest repro upstream report log
2025/09/21 19:11 21m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/07/27 18:17 22m contact@arnaud-lcm.com patch upstream OK log
2025/07/16 15:31 12m retest repro upstream report log
2025/07/13 12:11 19m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
Fix bisection attempts (11)
Created Duration User Patch Repo Result
2025/05/06 21:57 5m bisect fix upstream error job log
2025/04/05 02:29 2h39m bisect fix upstream OK (0) job log log
2025/03/01 14:41 1h37m bisect fix upstream OK (0) job log log
2025/01/28 06:06 1h58m bisect fix upstream OK (0) job log log
2024/12/21 03:38 3h00m bisect fix upstream OK (0) job log log
2024/11/07 02:13 1h56m bisect fix upstream OK (0) job log log
2024/09/01 02:13 1h36m bisect fix upstream OK (0) job log log
2024/07/13 09:51 2h27m bisect fix upstream OK (0) job log log
2024/06/07 01:47 1h29m bisect fix upstream OK (0) job log log
2024/04/22 12:41 1h46m bisect fix upstream OK (0) job log log
2024/03/21 13:50 1h48m bisect fix upstream OK (0) job log log

Sample crash report:
loop0: detected capacity change from 0 to 1024
==================================================================
BUG: KASAN: out-of-bounds in hfsplus_bnode_move+0x650/0x9c4 fs/hfsplus/bnode.c:228
Read of size 18446744073709551602 at addr ffff00000000104e by task syz-executor285/6097

CPU: 1 PID: 6097 Comm: syz-executor285 Not tainted 6.7.0-rc8-syzkaller-g0802e17d9aca #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0x174/0x514 mm/kasan/report.c:475
 kasan_report+0xd8/0x138 mm/kasan/report.c:588
 kasan_check_range+0x254/0x294 mm/kasan/generic.c:187
 __asan_memmove+0x3c/0x84 mm/kasan/shadow.c:94
 hfsplus_bnode_move+0x650/0x9c4 fs/hfsplus/bnode.c:228
 hfsplus_brec_insert+0x47c/0xaa0 fs/hfsplus/brec.c:128
 hfsplus_create_attr+0x3b0/0x568 fs/hfsplus/attributes.c:252
 __hfsplus_setxattr+0x980/0x1d00 fs/hfsplus/xattr.c:354
 hfsplus_initxattrs+0x150/0x20c fs/hfsplus/xattr_security.c:59
 security_inode_init_security+0x264/0x428 security/security.c:1668
 hfsplus_init_security+0x40/0x54 fs/hfsplus/xattr_security.c:71
 hfsplus_fill_super+0x1010/0x166c fs/hfsplus/super.c:567
 mount_bdev+0x1e8/0x2b4 fs/super.c:1650
 hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:641
 legacy_get_tree+0xd4/0x16c fs/fs_context.c:662
 vfs_get_tree+0x90/0x288 fs/super.c:1771
 do_new_mount+0x25c/0x8c8 fs/namespace.c:3337
 path_mount+0x590/0xe04 fs/namespace.c:3664
 do_mount fs/namespace.c:3677 [inline]
 __do_sys_mount fs/namespace.c:3886 [inline]
 __se_sys_mount fs/namespace.c:3863 [inline]
 __arm64_sys_mount+0x45c/0x594 fs/namespace.c:3863
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
 el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595

The buggy address belongs to the physical page:
page:000000005b08f408 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x40001
flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 01ffc00000000000 fffffc0000000048 fffffc0000000048 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff000000000f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff000000000f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff000000001000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                              ^
 ffff000000001080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff000000001100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/01/21 06:56 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 0802e17d9aca 9bd8dcda .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: out-of-bounds Read in hfsplus_bnode_move
2024/01/21 05:19 upstream 125514880ddd 9bd8dcda .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: out-of-bounds Read in hfsplus_bnode_move
2024/01/21 05:05 upstream 125514880ddd 9bd8dcda .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: out-of-bounds Read in hfsplus_bnode_move
* Struck through repros no longer work on HEAD.