Linux HFS CVE-2025-40243 Patch: Zeroed 8KB Bitmap with kzalloc

The Linux kernel has closed a small but consequential memory‑safety gap in the HFS driver: CVE‑2025‑40243 fixes a KMSAN‑reported uninitialized‑value read in hfs_find_set_zero_bits by ensuring the HFS volume bitmap is allocated zeroed (kzalloc) instead of with kmalloc, removing a source of unpredictable bitmap contents that could lead to incorrect allocation decisions and kernel failures.

Background / Overview​

HFS (and HFS+) support in the Linux kernel provides read/write access to Apple HFS volumes. The recent CVE entry describes a sanitizer (KMSAN) discovery — reported by automated fuzzing (syzbot) — where the HFS volume bitmap buffer could contain uninitialized memory after allocation, leading to a KMSAN uninit‑value report when the bitmap code inspected its contents. The issue was addressed upstream by changing the allocation to guarantee zero initialization of the bitmap area. This class of fix is simple in code but important in practice: filesystems assume on‑disk metadata and in‑memory initialization follow strict contracts. When those contracts break — for example, by allocating a buffer that remains partially uninitialized because on‑disk reads do not fill the entire buffer — subsequent code that processes the data can behave incorrectly. In this instance, the kernel’s HFS mount path allocated an 8KB bitmap buffer with kmalloc, then read only the number of bytes needed from disk; any remaining bytes were left as indeterminate heap contents, which KMSAN flagged and which can produce wrong bitmap decisions when those bytes are accessed.

---

Technical anatomy: where and why the bug happened​

What KMSAN reported​

The sanitizer trace supplied in public reports shows the callstack and the precise site of the KMSAN warning: the uninitialized read occurred in fs/hfs/bitmap.c (hfs_find_set_zero_bits and the caller chain through hfs_vbm_search_free, hfs_extend_file, hfs_get_block, and the file truncate/write paths). The trace indicates the bitmap buffer had unread bytes that had never been cleared.

Root cause (concise)​

• The bitmap buffer for the HFS volume was allocated using kmalloc(8192, GFP_KERNEL) (8 KB), which does not zero memory.
• The code then performed a read loop to copy the volume bitmap from disk into the buffer using the number of bytes derived from the filesystem’s block count: size = (fs_ablocks + 8) / 8.
• On many volume sizes, that computed size is smaller than 8192 bytes, so only part of the allocated buffer is filled by the disk reads.
• The remainder of the buffer therefore contains whatever data was present in the newly allocated slab, and subsequent bitmap inspections read that garbage — KMSAN flagged the read as uninitialized.

Why kmalloc→kzalloc fixes it​

Replacing kmalloc with kzalloc ensures the whole 8KB buffer is zeroed at allocation time. Zero bits in the bitmap conventionally represent free blocks in the allocation map. By guaranteeing that any bytes not supplied by the disk read remain zero, the code maintains a correct, conservative semantics: uninitialized regions behave as free space rather than as random allocated bits that could cause incorrect allocation logic, filesystem corruption, or crashes. The upstream patch is therefore a small, low‑risk, correctness change.

---

Patch details and upstream timeline​

• The upstream patch changes the allocation site in fs/hfs/mdb.c from:
• HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
  to:
• HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL);
  This single‑line substitution appears in the upstream patch series and stable backport threads.
• The fix was submitted to the kernel mailing lists and accepted into stable backports (the patch metadata shows the author, a Syzkaller reporter acknowledgement, and Signed‑off‑by lines typical of kernel stable patches). Public vulnerability trackers and OSV imported the CVE and map the fix to upstream commit(s). The CVE record was published to public databases and vendor trackers in early December 2025 while the patch itself was prepared in the upstream flow earlier (patch submission and stable‑merge timeline visible in kernel lists).
• The KMSAN reproduction and the syzbot trace used in the report provide strong evidence the issue is a real correctness problem rather than a false positive: the sanitizer showed the allocation site and the code paths that subsequently read the buffer unintentionally. That kind of trace makes the vulnerability straightforward to reason about and test.

---

Impact, exploitability and realistic risk model​

What the bug can do​

In its published form, CVE‑2025‑40243 is primarily a correctness / availability / data‑integrity concern:

• Worst practical outcomes include incorrect block allocation decisions, inconsistent filesystem state, shortsighted allocation that could lead to corruption or unexpected behavior, and visible kernel sanitizer traces or oopses in debug builds.
• Because the immediate root is uninitialized bytes in an allocation bitmap, the direct, simple attacker outcome is unpredictable allocation behavior — not an obvious remote code execution primitive by itself. That said, memory‑safety bugs in kernel code are always material because they can occasionally form a stepping stone in a multi‑stage chain.

Attack surface and preconditions​

• The HFS code executes during mount and normal file I/O for HFS volumes. Exploitation that triggers the vulnerable path requires the ability to mount or otherwise cause the kernel to read and manipulate HFS volume metadata — for example, by attaching a crafted image (loopback, virtual disk) or mounting removable media containing a malformed HFS filesystem.
• The vector is therefore local in the sense that an attacker needs to supply the crafted filesystem image or run on a system that auto‑mounts untrusted media. It is not a network remote‑service exploit where any unauthenticated remote attacker can trigger the kernel path across the network without local access.

How serious is it?​

• For most desktop users the practical risk is low if they do not routinely mount HFS volumes from untrusted sources. For multi‑tenant infrastructure, virtualization hosts, CI image ingestion services, or systems that auto‑process third‑party images, risk is materially higher because a single crafted image could influence host kernel behavior.
• The fix is small and deterministic, and no public PoC demonstrating remote privilege escalation or RCE was published with the CVE at the time of indexing; treat RCE claims as unverified unless credible exploit code appears. Nevertheless, the fix is high‑value to apply on systems that mount or process HFS images.

---

Detection, telemetry and incident hunting​

Practical signals to watch for in host telemetry:

• Kernel logs (dmesg / journalctl -k) showing KMSAN warnings that reference hfs_find_set_zero_bits, hfs_vbm_search_free, or functions in fs/hfs/*. A sanitizer or KASAN log is an explicit indicator and useful in staged testing where kernel sanitizers are enabled.
• Unusual kernel oops or filesystem errors reported during mount of HFS filesystems, particularly when mounting images that are not from trusted sources. Search for stack frames that include fs/hfs/bitmap.c and fs/hfs/mdb.c.
• If you run automated image‑ingestion pipelines, add checks that alert on failed mounts, I/O errors during mount, or repeated unclean mount warnings from HFS handling, and correlate these with who supplied the image.

Hunting recipe (concise):

• 1. Run: journalctl -k | grep -i hfs
• 2. Look for sanitizer/KASAN lines and stack traces referencing hfs_find_set_zero_bits or hfs_mdb_get.
• 3. If present, preserve dmesg and system logs and isolate the offending image or host for forensics.

---

Remediation and operational playbook​

The authoritative remediation is to install a kernel that includes the upstream fix (or vendor backport) and reboot into the patched kernel. Because this is a kernel‑level memory‑safety correctness change, a reboot is required to replace the running kernel image.
Step‑by‑step priorities:

• Inventory and scope
• Run uname -r to gather running kernel versions across your fleet.
• Identify hosts that may mount HFS volumes (desktop workstations used by macOS exchange users, build hosts that import Mac images, virtualization hosts that accept guest attachments, and embedded systems that may mount HFS media).
• Check vendor advisories
• Consult your distribution’s security tracker and vendor kernel changelog to locate the package version or kernel release that includes the HFS kzalloc fix.
• Where vendor advisories are not yet published, monitor upstream stable‑tree commits and vendor backports.
• Test and stage
• Stage the updated kernel in a pilot environment that mimics production mounts and image workflows.
• Validate normal HFS mount and I/O operations in the staged kernel.
• Deploy and reboot
• Roll updates in waves, coordinate reboots, and monitor kernel logs closely after each wave.
• For large fleets, use rolling reboots to maintain service continuity.
• Temporary compensations (if you cannot immediately patch)
• Restrict the ability to mount untrusted HFS images: remove mount privileges from untrusted accounts, disable auto‑mounting, or process untrusted images in isolated containers or ephemeral hosts that can be patched quickly.
• For virtualization platforms, avoid auto‑attaching untrusted guest images to running VMs or hosts until patched.
• Post‑deployment verification
• Confirm the patched kernel is running (uname -a), and check package changelogs mention the HFS patch or upstream commit.
• Monitor logs for residual KMSAN/KASAN reports or hfs-related oops traces for several maintenance cycles.

---

Vendor mapping, distribution backports and timeline​

• Upstream submission and acceptance into stable trees happened via the kernel lists and stable backport flows; the patch series and stable replacement commits are visible in kernel mailing‑list archives and stable‑mirror threads. Public trackers indicate the patch landed upstream earlier than the CVE publication; the CVE was indexed by public databases in early December 2025 while the upstream patch appeared in the upstream/stable flow in August 2025. Cross‑checking upstream commit metadata with your vendor’s kernel changelog is the practical way to know whether your vendor provided a backported package.
• Major distributions and OSV/DEBIAN trackers import CVE records and will map them to vendor packages; check Debian, Ubuntu, RHEL, SUSE, and your vendor’s security portal for the exact package version that contains the fix before rolling out. If coordinating with embedded/OEM vendors, contact their support channels because vendor forked kernels can lag upstream backports considerably.

---

Strengths of the upstream response — and residual caveats​

Strengths:

• Surgical fix: The patch is a single, low‑risk change that preserves happy‑path semantics while removing undefined behavior. This makes testing straightforward and backporting to stable branches practical.
• Deterministic remediation: Zeroing the bitmap yields conservative, predictable behavior (treat unknown bits as free), which is easier to validate than more invasive design changes.
• Traceable exposure: The syzbot/KMSAN reproduction provides a clear trace and a simple assertion of the problem; that aids reviewers and maintainers.

Residual caveats and risks:

• Distribution/OEM lag: The longest tail for exposure will be vendor kernel trees and embedded devices that do not receive rapid backports. Those devices can remain vulnerable until vendor images are updated.
• Operational detection gaps: In production kernels built without sanitizers, the condition may not be visible unless it manifests in a reproducible crash or filesystem corruption. Organizations without centralized kernel log aggregation may miss transient evidence.
• Chaining potential: While the isolated fix is low‑risk, uninitialized reads can be one primitive in complex exploitation chains. Treat filesystem parsing correctness as part of a broader hardening posture.

---

Practical recommendations (concise checklist)​

• Map hosts that mount HFS volumes; prioritize multi‑tenant, CI, and image‑ingestion hosts for rapid patching.
• Apply vendor kernel updates that state they include the HFS kzalloc fix; patch and reboot.
• If you manage embedded/OEM devices, open a support case and request a vendor backport or mitigations; apply network segmentation or privilege restrictions as interim mitigation.
• Tighten mount privileges and disable auto‑mounting of removable media where untrusted attachments are possible.
• Add SIEM rules that look for KMSAN/KASAN traces referencing hfs_* symbols and collect kernel logs centrally for rapid triage.

---

Closing analysis​

CVE‑2025‑40243 is an archetypal example of how small allocation semantics mistakes in kernel code produce outsized operational risk: a mismatched allocation helper (kmalloc vs kzalloc) left part of a filesystem’s in‑memory bitmap undefined, and sanitizer tooling (KMSAN via syzbot) revealed the condition. The upstream fix is appropriately minimal — zero the buffer — which is both correct by filesystem semantics and safe to backport to stable kernels. Organizations should prioritize patching based on exposure: hosts that mount or process untrusted HFS images should be updated and rebooted without delay, while embedded and vendor‑maintained images require active coordination with suppliers to close the long tail. Cautionary note: the public CVE/DB entries and upstream commit metadata were consulted for this analysis; confirm the exact vendor package versions and kernel release numbers that include the change before asserting a host is remediated. Some advisory pages (including the Microsoft Security Response Guide) require interactive rendering to view details and may present vendor mapping differently; always cross‑check your vendor’s security advisory or package changelog to validate the fix for your specific distribution and kernel ABI.

---

The kernel patch restores a simple but important contract: allocation bitmaps created in memory must start in a deterministic state. That principle — defensive initialization of critical metadata — is a small engineering discipline that prevents a surprising class of filesystem correctness failures, and this fix restores that discipline in the HFS code path.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center