Overview
CVE-2025-40243 describes an uninitialized value vulnerability found in the Linux kernel’s Hierarchical File System (HFS) driver. Specifically, the issue resides in the hfs_find_set_zero_bits() function. This vulnerability, detected by Kernel Memory SANitizer (KMSAN), could lead to unpredictable behavior, data corruption, or even system instability. A patch has been released to address this issue by ensuring proper memory initialization.
Technical Details
The vulnerability is located in fs/hfs/bitmap.c, within the hfs_find_set_zero_bits() function. The core problem stems from the way the HFS driver allocates memory for its bitmap buffer. The original code used kmalloc(), which allocates memory but does not guarantee it is initialized to zero. If the allocated memory contains “garbage” data from previous usage, it can affect the bitmap operations and lead to incorrect identification of free blocks.
The syzbot report highlights the following call stack leading to the issue:
BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151
hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408
hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353
... (rest of the stack trace) ...
The root cause is that the HFS_SB(sb)->bitmap buffer, allocated using kmalloc(8192, GFP_KERNEL) in hfs_mdb_get(), isn’t cleared. Consequently, the bitmap operations can be affected by the “garbage” data in the uninitialized memory.
CVSS Analysis
As the CVE description states, the severity is marked as N/A and no CVSS score is provided. This is likely because the impact is highly dependent on the specific usage scenario and the content of the uninitialized memory. However, the potential for data corruption and system instability warrants a prompt patch application.
Possible Impact
The uninitialized value vulnerability in the HFS driver can lead to several negative consequences:
- Data Corruption: Incorrect bitmap operations can result in allocating the same block to multiple files, leading to data overwrites and file system corruption.
- System Instability: Unexpected behavior in the HFS driver can potentially trigger kernel panics or other system-level issues.
- Unpredictable Behavior: The presence of “garbage” data in the bitmap can lead to inconsistent behavior, making debugging and troubleshooting difficult.
Mitigation or Patch Steps
The recommended solution is to apply the patch that replaces kmalloc() with kzalloc(). This ensures that the allocated memory for the bitmap is initialized to zero, preventing the vulnerability. The patch has been backported to stable kernel versions. Users should update their kernels to a patched version as soon as possible.
Specifically, the fix changes the memory allocation in fs/hfs/mdb.c from:
HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);to:
HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL);kzalloc guarantees that the allocated memory is zeroed out, eliminating the uninitialized value issue.
