CVE-2025-40082

In the Linux kernel, the following vulnerability has been resolved:

hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()

BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186 Read of size 2 at addr ffff8880289ef218 by task syz.6.248/14290

CPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x116/0x1b0 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xca/0x5f0 mm/kasan/report.c:482 kasanreport+0xca/0x100 mm/kasan/report.c:595 hfsplusuni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186 hfspluslistxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738 vfslistxattr+0xbe/0x140 fs/xattr.c:493 listxattr+0xee/0x190 fs/xattr.c:924 filenamelistxattr fs/xattr.c:958 [inline] pathlistxattrat+0x143/0x360 fs/xattr.c:988 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xcb/0x4c0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7fe0e9fae16d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIGRAX: 00000000000000c3 RAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000 RBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000 </TASK>

Allocated by task 14290: kasansavestack+0x24/0x50 mm/kasan/common.c:47 kasansavetrack+0x14/0x30 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:377 [inline] __kasankmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] __dokmallocnode mm/slub.c:4333 [inline] __kmallocnoprof+0x219/0x540 mm/slub.c:4345 kmallocnoprof include/linux/slab.h:909 [inline] hfsplusfindinit+0x95/0x1f0 fs/hfsplus/bfind.c:21 hfspluslistxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697 vfslistxattr+0xbe/0x140 fs/xattr.c:493 listxattr+0xee/0x190 fs/xattr.c:924 filenamelistxattr fs/xattr.c:958 [inline] pathlistxattrat+0x143/0x360 fs/xattr.c:988 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xcb/0x4c0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f

When hfsplusuni2asc is called from hfspluslistxattr, it actually passes in a struct hfsplusattrunistr*. The size of the corresponding structure is different from that of hfsplus_unistr, so the previous fix (94458781aee6) is insufficient. The pointer on the unicode buffer is still going beyond the allocated memory.

This patch introduces two warpper functions hfsplusuni2ascxattrstr and hfsplusuni2ascstr to process two unicode buffers, struct hfsplusattrunistr* and struct hfsplusunistr* respectively. When ustrlen value is bigger than the allocated memory size, the ustrlen value is limited to an safe size.