CVE-2025-40243

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()<br /> <br /> The syzbot reported issue in hfs_find_set_zero_bits():<br /> <br /> =====================================================<br /> BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45<br /> hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45<br /> hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151<br /> hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408<br /> hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353<br /> __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151<br /> block_write_begin fs/buffer.c:2262 [inline]<br /> cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601<br /> hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52<br /> cont_expand_zero fs/buffer.c:2528 [inline]<br /> cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591<br /> hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52<br /> hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494<br /> hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654<br /> notify_change+0x1993/0x1aa0 fs/attr.c:552<br /> do_truncate+0x28f/0x310 fs/open.c:68<br /> do_ftruncate+0x698/0x730 fs/open.c:195<br /> do_sys_ftruncate fs/open.c:210 [inline]<br /> __do_sys_ftruncate fs/open.c:215 [inline]<br /> __se_sys_ftruncate fs/open.c:213 [inline]<br /> __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213<br /> x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slub.c:4154 [inline]<br /> slab_alloc_node mm/slub.c:4197 [inline]<br /> __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354<br /> kmalloc_noprof include/linux/slab.h:905 [inline]<br /> hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175<br /> hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337<br /> get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681<br /> get_tree_bdev+0x38/0x50 fs/super.c:1704<br /> hfs_get_tree+0x35/0x40 fs/hfs/super.c:388<br /> vfs_get_tree+0xb0/0x5c0 fs/super.c:1804<br /> do_new_mount+0x738/0x1610 fs/namespace.c:3902<br /> path_mount+0x6db/0x1e90 fs/namespace.c:4226<br /> do_mount fs/namespace.c:4239 [inline]<br /> __do_sys_mount fs/namespace.c:4450 [inline]<br /> __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427<br /> __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427<br /> x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none)<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025<br /> =====================================================<br /> <br /> The HFS_SB(sb)-&gt;bitmap buffer is allocated in hfs_mdb_get():<br /> <br /> HFS_SB(sb)-&gt;bitmap = kmalloc(8192, GFP_KERNEL);<br /> <br /> Finally, it can trigger the reported issue because kmalloc()<br /> doesn&amp;#39;t clear the allocated memory. If allocated memory contains<br /> only zeros, then everything will work pretty fine.<br /> But if the allocated memory contains the "garbage", then<br /> it can affect the bitmap operations and it triggers<br /> the reported issue.<br /> <br /> This patch simply exchanges the kmalloc() on kzalloc()<br /> with the goal to guarantee the correctness of bitmap operations.<br /> Because, newly created allocation bitmap should have all<br /> available blocks free. Potentially, initialization bitmap&amp;#39;s read<br /> operation could not fill the whole allocated memory and<br /> "garbage" in the not initialized memory will be the reason of<br /> volume coruptions and file system driver bugs.