tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: b047602d579b4fb028128a525f056bbdc890e7f0
commit: a97b693c3712f040c5802f32b2d685352e08cefa uaccess: fix nios2 and microblaze get_user_8()
config: nios2-randconfig-m031-20220712 (https://download.01.org/0day-ci/archive/20220713/[email protected]/config)
compiler: nios2-linux-gcc (GCC) 11.3.0
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <[email protected]>
Reported-by: Dan Carpenter <[email protected]>
New smatch warnings:
fs/nfsd/nfs4recover.c:814 __cld_pipe_inprogress_downcall() error: uninitialized symbol 'princhashlen'.
vim +/princhashlen +814 fs/nfsd/nfs4recover.c
74725959c33c141 Scott Mayhew 2019-03-26 789 static ssize_t
6ee95d1c899186c Scott Mayhew 2019-09-09 790 __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
74725959c33c141 Scott Mayhew 2019-03-26 791 struct nfsd_net *nn)
74725959c33c141 Scott Mayhew 2019-03-26 792 {
6ee95d1c899186c Scott Mayhew 2019-09-09 793 uint8_t cmd, princhashlen;
6ee95d1c899186c Scott Mayhew 2019-09-09 794 struct xdr_netobj name, princhash = { .len = 0, .data = NULL };
74725959c33c141 Scott Mayhew 2019-03-26 795 uint16_t namelen;
8a9f4f41248a4dc Scott Mayhew 2019-03-26 796 struct cld_net *cn = nn->cld_net;
74725959c33c141 Scott Mayhew 2019-03-26 797
74725959c33c141 Scott Mayhew 2019-03-26 798 if (get_user(cmd, &cmsg->cm_cmd)) {
74725959c33c141 Scott Mayhew 2019-03-26 799 dprintk("%s: error when copying cmd from userspace", __func__);
74725959c33c141 Scott Mayhew 2019-03-26 800 return -EFAULT;
74725959c33c141 Scott Mayhew 2019-03-26 801 }
74725959c33c141 Scott Mayhew 2019-03-26 802 if (cmd == Cld_GraceStart) {
6ee95d1c899186c Scott Mayhew 2019-09-09 803 if (nn->client_tracking_ops->version >= 2) {
6ee95d1c899186c Scott Mayhew 2019-09-09 804 const struct cld_clntinfo __user *ci;
6ee95d1c899186c Scott Mayhew 2019-09-09 805
6ee95d1c899186c Scott Mayhew 2019-09-09 806 ci = &cmsg->cm_u.cm_clntinfo;
6ee95d1c899186c Scott Mayhew 2019-09-09 807 if (get_user(namelen, &ci->cc_name.cn_len))
6ee95d1c899186c Scott Mayhew 2019-09-09 808 return -EFAULT;
6ee95d1c899186c Scott Mayhew 2019-09-09 809 name.data = memdup_user(&ci->cc_name.cn_id, namelen);
6ee95d1c899186c Scott Mayhew 2019-09-09 810 if (IS_ERR_OR_NULL(name.data))
6ee95d1c899186c Scott Mayhew 2019-09-09 811 return -EFAULT;
6ee95d1c899186c Scott Mayhew 2019-09-09 812 name.len = namelen;
6ee95d1c899186c Scott Mayhew 2019-09-09 813 get_user(princhashlen, &ci->cc_princhash.cp_len);
No error checking on get_user() leads to uninitialized variable bug.
It's weird that we're only just now catching a 2019 bug but I guess
the "uaccess: fix nios2 and microblaze get_user_8()" patch makes the
function easy enough for Smatch to parse it on that architecture. On
x86 it's done in assembly so Smatch doesn't track error paths.
This bug is still present upstream.
6ee95d1c899186c Scott Mayhew 2019-09-09 @814 if (princhashlen > 0) {
6ee95d1c899186c Scott Mayhew 2019-09-09 815 princhash.data = memdup_user(
6ee95d1c899186c Scott Mayhew 2019-09-09 816 &ci->cc_princhash.cp_data,
6ee95d1c899186c Scott Mayhew 2019-09-09 817 princhashlen);
6ee95d1c899186c Scott Mayhew 2019-09-09 818 if (IS_ERR_OR_NULL(princhash.data))
6ee95d1c899186c Scott Mayhew 2019-09-09 819 return -EFAULT;
The memdup_user() function cannot return NULL, btw. (When a function
returns both a mix of error pointers and NULL that generally means it
is an optional feature like LEDs or power management. The NULL is not
an error but means that it has been deliberately disabled).
6ee95d1c899186c Scott Mayhew 2019-09-09 820 princhash.len = princhashlen;
6ee95d1c899186c Scott Mayhew 2019-09-09 821 } else
6ee95d1c899186c Scott Mayhew 2019-09-09 822 princhash.len = 0;
6ee95d1c899186c Scott Mayhew 2019-09-09 823 } else {
6ee95d1c899186c Scott Mayhew 2019-09-09 824 const struct cld_name __user *cnm;
6ee95d1c899186c Scott Mayhew 2019-09-09 825
6ee95d1c899186c Scott Mayhew 2019-09-09 826 cnm = &cmsg->cm_u.cm_name;
6ee95d1c899186c Scott Mayhew 2019-09-09 827 if (get_user(namelen, &cnm->cn_len))
74725959c33c141 Scott Mayhew 2019-03-26 828 return -EFAULT;
6ee95d1c899186c Scott Mayhew 2019-09-09 829 name.data = memdup_user(&cnm->cn_id, namelen);
74725959c33c141 Scott Mayhew 2019-03-26 830 if (IS_ERR_OR_NULL(name.data))
74725959c33c141 Scott Mayhew 2019-03-26 831 return -EFAULT;
74725959c33c141 Scott Mayhew 2019-03-26 832 name.len = namelen;
6ee95d1c899186c Scott Mayhew 2019-09-09 833 }
8a9f4f41248a4dc Scott Mayhew 2019-03-26 834 if (name.len > 5 && memcmp(name.data, "hash:", 5) == 0) {
8a9f4f41248a4dc Scott Mayhew 2019-03-26 835 name.len = name.len - 5;
8a9f4f41248a4dc Scott Mayhew 2019-03-26 836 memmove(name.data, name.data + 5, name.len);
8a9f4f41248a4dc Scott Mayhew 2019-03-26 837 cn->cn_has_legacy = true;
8a9f4f41248a4dc Scott Mayhew 2019-03-26 838 }
6ee95d1c899186c Scott Mayhew 2019-09-09 839 if (!nfs4_client_to_reclaim(name, princhash, nn)) {
74725959c33c141 Scott Mayhew 2019-03-26 840 kfree(name.data);
6ee95d1c899186c Scott Mayhew 2019-09-09 841 kfree(princhash.data);
74725959c33c141 Scott Mayhew 2019-03-26 842 return -EFAULT;
74725959c33c141 Scott Mayhew 2019-03-26 843 }
11a60d159259dba Scott Mayhew 2019-09-09 844 return nn->client_tracking_ops->msglen;
74725959c33c141 Scott Mayhew 2019-03-26 845 }
74725959c33c141 Scott Mayhew 2019-03-26 846 return -EFAULT;
74725959c33c141 Scott Mayhew 2019-03-26 847 }
--
0-DAY CI Kernel Test Service
https://01.org/lkp