Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751882AbdIOT4l (ORCPT ); Fri, 15 Sep 2017 15:56:41 -0400 Received: from mout.kundenserver.de ([217.72.192.73]:60113 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751542AbdIOT4j (ORCPT ); Fri, 15 Sep 2017 15:56:39 -0400 From: Arnd Bergmann To: John Johansen , James Morris , "Serge E. Hallyn" Cc: Arnd Bergmann , Kees Cook , Stephen Rothwell , Seth Arnold , Michal Hocko , Vlastimil Babka , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] apparmor: initialized returned struct aa_perms Date: Fri, 15 Sep 2017 21:55:46 +0200 Message-Id: <20170915195620.1561044-1-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 X-Provags-ID: V03:K0:5qHlCdJxl8SmMIMPH0r3FmuwkhdwpCgk5i2TuTwScrHDlnI/UZD tReVx2+Q+tBGHWUxXlzNVn5IPUyr3zRY/SAnbBiVUPPn57Nj290LvW/vVYnLVuum9b9/Ahi 2ksMbkfEJP8SsBQPjCT/1LKy38txA99EE4ODp54zCa04csclEeUBmlo8zz3ZAx684viEQ8c VFeDvO0bXFCe3V2Wg46dw== X-UI-Out-Filterresults: notjunk:1;V01:K0:ci2A+so39vo=:p4sCcJQUbE/bPDH62K9p4L 1WaVb+FnO25qUQG1q+WmWVVfKGHwcYIjuwVPbiU88EBHiP6ltNZ8CTFYXCarydM7ViwLk4jE6 M5ul67EwUmI8InTDHoAJ7GGzfdzt6darQWX/tkhXk5ncpcUVsiyTuSWZnNd2oGyzcuSPCRq1X EUvjIEGxu94t/Vh5o1ZpORgHCR9QAYLk41YO68K80HXlVdEMshU5spAvaobVyx34t7dVdjiOs psCvmk+03mzie9xwUjJSQiYx5PHnkuQVen+68wpZ63549gU2JaPCRgewElrixJ3fcfNLD9FiR v/hCCJzOUiAc6PMpGkevMZHEwAi1pbVS2AIwqdHRm3PJ/shQkVq8MI5SqFoiH9jnY8iuAcPEU CteJOT5nzUHTOpg78/87BDUeU3hLdPlx3ZSTd2TpqAc0+Db4hcdEnyXrXQAmSS3RiydcuHyX2 VajANZS9ffoJTalLTkVuZd3eA0gIQIHGYKsBWlh/zxU7+5XkKkqTK7mMc1T3qdlH+93AmKYNZ xP7O7J3snhw+7gRAIiMnbO/2NrhJKtLFHkhgXjo8e+ooJvWGG7JU57l8npMHSS0RaFu0WkRny lnb4gXhJybMX/Kx/f5n7cEMX+6LGbBc7rRCTu8UnsK6v3wCZghc4aIC5g2oQuUkKHfn6JIQ5C 2O3n99pKghd7cEu6yMA5HDMq/VIG3NWcd5y9sAdVojpOBPSLT3eNdzumFM9vkBiL+D0Nf4djw X57pC8Jrvg8hAKloH1kXtllHIgWBdx1GeF6lVw== Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4282 Lines: 108 gcc-4.4 points out suspicious code in compute_mnt_perms, where the aa_perms structure is only partially initialized before getting returned: security/apparmor/mount.c: In function 'compute_mnt_perms': security/apparmor/mount.c:227: error: 'perms.prompt' is used uninitialized in this function security/apparmor/mount.c:227: error: 'perms.hide' is used uninitialized in this function security/apparmor/mount.c:227: error: 'perms.cond' is used uninitialized in this function security/apparmor/mount.c:227: error: 'perms.complain' is used uninitialized in this function security/apparmor/mount.c:227: error: 'perms.stop' is used uninitialized in this function security/apparmor/mount.c:227: error: 'perms.deny' is used uninitialized in this function Returning or assigning partially initialized structures is a bit tricky, in particular it is explicitly allowed in c99 to assign a partially intialized structure to another, as long as only members are read that have been initialized earlier. Looking at what various compilers do here, the version that produced the warning copied unintialized stack data, while newer versions (and also clang) either set the other members to zero or don't update the parts of the return buffer that are not modified in the temporary structure, but they never warn about this. In case of apparmor, it seems better to be a little safer and always initialize the aa_perms structure. Most users already do that, this changes the remaining ones, including the one instance that I got the warning for. Fixes: fa488437d0f9 ("apparmor: add mount mediation") Signed-off-by: Arnd Bergmann --- security/apparmor/file.c | 8 +------- security/apparmor/lib.c | 13 +++++-------- security/apparmor/mount.c | 13 ++++++------- 3 files changed, 12 insertions(+), 22 deletions(-) diff --git a/security/apparmor/file.c b/security/apparmor/file.c index db80221891c6..86d57e56fabe 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -227,18 +227,12 @@ static u32 map_old_perms(u32 old) struct aa_perms aa_compute_fperms(struct aa_dfa *dfa, unsigned int state, struct path_cond *cond) { - struct aa_perms perms; - /* FIXME: change over to new dfa format * currently file perms are encoded in the dfa, new format * splits the permissions from the dfa. This mapping can be * done at profile load */ - perms.deny = 0; - perms.kill = perms.stop = 0; - perms.complain = perms.cond = 0; - perms.hide = 0; - perms.prompt = 0; + struct aa_perms perms = { }; if (uid_eq(current_fsuid(), cond->uid)) { perms.allow = map_old_perms(dfa_user_allow(dfa, state)); diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c index 8818621b5d95..6cbc06da964c 100644 --- a/security/apparmor/lib.c +++ b/security/apparmor/lib.c @@ -318,14 +318,11 @@ static u32 map_other(u32 x) void aa_compute_perms(struct aa_dfa *dfa, unsigned int state, struct aa_perms *perms) { - perms->deny = 0; - perms->kill = perms->stop = 0; - perms->complain = perms->cond = 0; - perms->hide = 0; - perms->prompt = 0; - perms->allow = dfa_user_allow(dfa, state); - perms->audit = dfa_user_audit(dfa, state); - perms->quiet = dfa_user_quiet(dfa, state); + *perms = (struct aa_perms) { + .allow = dfa_user_allow(dfa, state), + .audit = dfa_user_audit(dfa, state), + .quiet = dfa_user_quiet(dfa, state), + }; /* for v5 perm mapping in the policydb, the other set is used * to extend the general perm set diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c index 82a64b58041d..ed9b4d0f9f7e 100644 --- a/security/apparmor/mount.c +++ b/security/apparmor/mount.c @@ -216,13 +216,12 @@ static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state, static struct aa_perms compute_mnt_perms(struct aa_dfa *dfa, unsigned int state) { - struct aa_perms perms; - - perms.kill = 0; - perms.allow = dfa_user_allow(dfa, state); - perms.audit = dfa_user_audit(dfa, state); - perms.quiet = dfa_user_quiet(dfa, state); - perms.xindex = dfa_user_xindex(dfa, state); + struct aa_perms perms = { + .allow = dfa_user_allow(dfa, state), + .audit = dfa_user_audit(dfa, state), + .quiet = dfa_user_quiet(dfa, state), + .xindex = dfa_user_xindex(dfa, state), + }; return perms; } -- 2.9.0