Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp684335ybg;
        Wed, 3 Jun 2020 10:49:44 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz0OsBmQAT0veWanC50/1cr3FQZ2bzFuZlIQRrZg6XFm0MSuHaWmKO1sRTc7QxxWXfbvVtk
X-Received: by 2002:aa7:c38f:: with SMTP id k15mr589736edq.342.1591206583940;
        Wed, 03 Jun 2020 10:49:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1591206583; cv=none;
        d=google.com; s=arc-20160816;
        b=p4/yQMp0vblz9/JuI6kZW65ilrjDW/AeO1QhIojo37c5J/0Pj4Jo1VpReg16/6I32H
         ZfMcGbmvxCL+q4aFvdhM7ntglGt5QLRPxCG8CtREC+eNLtL7DvMDbIN23KHCgxrjSfhL
         MOXoB5c/rGkOgmKrny/w5bdUPdKst2VSg4ZU5tg5gRAUf3O40yQKh6N4pEvpBAXzUfxB
         WOYlb0UPEkVoU1Tf5SYhw9foZe05sJ8yyLQE4lNvG6IIyDNrwtntSldTJsPLF28DmgFJ
         leRUt2NAVPqUw1R9HbXajF8j85CdHrAtXxnGud4RecAb7fwXUKNo3U1tT0vWhBUv0R2z
         3DDA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:mime-version
         :message-id:date:dkim-signature;
        bh=fLjSsW/NTgyWecVWnnneUC+9Bt4TjOTIssgnySdQoyA=;
        b=wyY2kdLAsjI8026s+pfsdZOkEauLMmCIS7Al4vOHw+Ra4z1UTLp1r/lw+ZHnBtdEBn
         rqHkfrIMEV9dSnhZsNNr4NUUvri5znZtdKqvrVitkn+eWNG+MU+7zdsOu59+4QB+lVd/
         /HCSHVzMV93xZGiHX4BEUWkAHa+YZfR9qiVFmNmgkWL5Epg6L/Y3GPIkR3pxJ1ICPw2v
         bFZ263ucwfKVJ7/ulhd8FZd0ebY2LwyG4uWtrnOKOvNtNWCV2uikLylTl3KaU+E9eOSH
         OZuWARqD2VsLB+EPfGXEVGA5rb9jkGuuGc70T1g+R0ZHG5l489Z7Oc0mBsW6FTYjXtux
         +RxA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=jOQkwCJS;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id 30si147456edr.262.2020.06.03.10.49.20;
        Wed, 03 Jun 2020 10:49:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=jOQkwCJS;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726321AbgFCRrU (ORCPT <rfc822;xqjcool@gmail.com> + 99 others);
        Wed, 3 Jun 2020 13:47:20 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58940 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726071AbgFCRrU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 3 Jun 2020 13:47:20 -0400
Received: from mail-qk1-x74a.google.com (mail-qk1-x74a.google.com [IPv6:2607:f8b0:4864:20::74a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E5837C08C5C2
        for <linux-kernel@vger.kernel.org>; Wed,  3 Jun 2020 10:47:19 -0700 (PDT)
Received: by mail-qk1-x74a.google.com with SMTP id m29so2257064qkm.17
        for <linux-kernel@vger.kernel.org>; Wed, 03 Jun 2020 10:47:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=fLjSsW/NTgyWecVWnnneUC+9Bt4TjOTIssgnySdQoyA=;
        b=jOQkwCJS99WcGmfd51kk60wxPiOKILfRB8GusbTg7LPsTQIDAsWczAhDblVosu5+ml
         BjGBUcc6n42Xpx9Lf/bPp7JK+HLXnXqC0UhtijIJwUGnsm6X0vdAfS+6e5MZXS5aL95G
         ttRSyfpzUVK7JqHpjbfUEM8wAnZx5tHIMMfwuwAps1p+b4rYU/Ww6oYxjv/A24uwRJqx
         jM3XJ3bU/MW1Jeijd6r22MH6RUEyN7c7GdyoaE1yZnm6B4xmVKaWlMUdjdZ7LWvFd7kO
         SEQccx0DItI3fmXi7zdty6heTWV5avdhJg7yDPQi8eD1neYsoU00QTiO24rsPDkbsnmf
         /n9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=fLjSsW/NTgyWecVWnnneUC+9Bt4TjOTIssgnySdQoyA=;
        b=sunI046keZ6je5gFy3ZebyOo8KDy9zGFFWeAPMKRxUpfHuyMZoPwFYaSr68J+ncsxB
         zbpQP+2un+/r+VvFxmbTo/5Xef/iDMvS7/Sd4QB2Bd+PyL+7Qgz7Pk9Q/LkrzNsL1mud
         Z+tvMQm8VGycS2d4HXVXnx2Fi7UUvlve1VKRBmDpNHmsPk8j7GPTmabgkDGZOOryKy/X
         UF7Ura40YfRFRQRaTISJMFbhGe9Qw2r5nfQzC3bAXORkpQn38KNZCvHE2LyNSE9PEsHg
         PwEG7B4+ZpQgGaFW/pujJc1ZAr5GNy+PX6N5VRYagHfjvLlGXnyQ0wH9Ql0Lu4zB+vx6
         XhXw==
X-Gm-Message-State: AOAM533mA99Vr6TjF7LgSK+vigpA5YEISN+SKJjo5Uz7+8hqObGGYjyP
        v7KHmsjYwPCRCBeC9zGOI8wR4OtNQng=
X-Received: by 2002:ad4:4e86:: with SMTP id dy6mr1006686qvb.106.1591206438886;
 Wed, 03 Jun 2020 10:47:18 -0700 (PDT)
Date:   Wed,  3 Jun 2020 19:47:14 +0200
Message-Id: <20200603174714.192027-1-glider@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.27.0.rc2.251.g90737beb825-goog
Subject: [PATCH] ovl: explicitly initialize error in ovl_copy_xattr()
From:   glider@google.com
To:     miklos@szeredi.hu
Cc:     linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org,
        keescook@chromium.org, royyang@google.com, stable@vger.kernel.org,
        Alexander Potapenko <glider@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Under certain circumstances (we found this out running Docker on a
Clang-built kernel with CONFIG_INIT_STACK_ALL) ovl_copy_xattr() may
return uninitialized value of |error| from ovl_copy_xattr().
It is then returned by ovl_create() to lookup_open(), which casts it to
an invalid dentry pointer, that can be further read or written by the
lookup_open() callers.

Signed-off-by: Alexander Potapenko <glider@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Roy Yang <royyang@google.com>
Cc: <stable@vger.kernel.org> # 4.1

---

It's unclear to me whether error should be initially 0 or some error
code (both seem to work), but I thought returning an error makes sense,
as the situation wasn't anticipated by the code authors.

The bug seem to date back to at least v4.1 where the annotation has been
introduced (i.e. the compilers started noticing error could be used
before being initialized). I hovever didn't try to prove that the
problem is actually reproducible on such ancient kernels. We've seen it
on a real machine running v4.4 as well.
---
 fs/overlayfs/copy_up.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
index 9709cf22cab3..428d43e2d016 100644
--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -47,7 +47,7 @@ int ovl_copy_xattr(struct dentry *old, struct dentry *new)
 {
 	ssize_t list_size, size, value_size = 0;
 	char *buf, *name, *value = NULL;
-	int uninitialized_var(error);
+	int error = -EINVAL;
 	size_t slen;
 
 	if (!(old->d_inode->i_opflags & IOP_XATTR) ||
-- 
2.27.0.rc2.251.g90737beb825-goog