Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp823583ybg;
        Wed, 3 Jun 2020 14:52:30 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy9J9TQ6gq1QgfkKnpqBHuq5sj2vMJUL1y0Ur7Tv9q6xTEIL0OP7HIM3V2kOIpGrPfAmsfR
X-Received: by 2002:a17:906:70c2:: with SMTP id g2mr1192297ejk.207.1591221150055;
        Wed, 03 Jun 2020 14:52:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1591221150; cv=none;
        d=google.com; s=arc-20160816;
        b=tCe7KTMMPQiJ+O+GOuhqaSxyTFjjcd+tNCLuGQxzA+kYOiJ/yszJjVefR2b8M01Fi5
         zFIfxNlfSgxruA3jeGxtNpwLkVWRKHBI7ob0MkffDy4Vq2FTLq77LpGSQlolOsBrRcor
         ay6Z8rHLY31fj+eI5zUNmYmZfxwyc1aBJ1a4ojZFcHLtftf25PucvozNA9enIR+cIGhb
         4J9M7c+Eo9Sl44MYJG/Z3fZCTbrutGwq/EhgArDC4cH+8hGQujzL35UQ7DnrIT3Tnlke
         LVfCgyU8Bhq1Dcbb1VyP/KQ173u0zJ1E7rcTToCyNjZzcqbg8/djOULn0NwLJ5qTA8DE
         CCfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=j8irI2YP3QxKXjo5qFTtbAZdDKv971AUeB+9+HvcfEc=;
        b=srHQJ5U7WSLitAZ+W7Y17Bx784hoomP7Ty3RsgmqkMteYF4cqVL0NY1AqD+ZUD0Fui
         1Ev7bOdVfPSk77RJ7n+alqsswgHVwprXCv8eUjeyTd8/5hGa+XoyjJDmwe9NjNfT+aVL
         FCGp3L5hpD/pGk5NSN3h0vrIfxnSjJCK9ZIBD5+lhq/UGVEZRnFbmn6brqUTRie2iG3o
         J/eUn6GChndd74NsHhvsvJNQBJRvyodErxu4n/Gamvk6jCxjVpJj7VglUlvR7hM7ZArn
         uym+KSV/g0/37W3tQg4Yb1MBQ9aVLXj06Px3ZYYgZYOiH8CMM24aFeChavyFtFu0aVMq
         Mc8A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=T4ujYaIx;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id i11si517951ejr.28.2020.06.03.14.52.07;
        Wed, 03 Jun 2020 14:52:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=T4ujYaIx;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726450AbgFCVql (ORCPT <rfc822;xqjcool@gmail.com> + 99 others);
        Wed, 3 Jun 2020 17:46:41 -0400
Received: from us-smtp-1.mimecast.com ([207.211.31.81]:25272 "EHLO
        us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1725922AbgFCVql (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 3 Jun 2020 17:46:41 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1591220800;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=j8irI2YP3QxKXjo5qFTtbAZdDKv971AUeB+9+HvcfEc=;
        b=T4ujYaIxCBrIxRdQ20oKPF7vLdf4QlN3wnULA8D5DrnTq+/HzRt0x3ef5w6J9/q43AEkJT
        UlZCAlI/IRu8/u1paGHWDmqTohSEifkTKC17tZkNGWyd18KqRFcW6nFHj2u3+ZHy7z0WEl
        61DO10pVTI0zddEyDMeKmeyINScvxfM=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-177-QvVLwQMmN6OODyKajwOZpA-1; Wed, 03 Jun 2020 17:46:36 -0400
X-MC-Unique: QvVLwQMmN6OODyKajwOZpA-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A84A91B18BC3;
        Wed,  3 Jun 2020 21:46:34 +0000 (UTC)
Received: from horse.redhat.com (ovpn-118-25.rdu2.redhat.com [10.10.118.25])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 5327B60BE1;
        Wed,  3 Jun 2020 21:46:34 +0000 (UTC)
Received: by horse.redhat.com (Postfix, from userid 10451)
        id D1478220C5A; Wed,  3 Jun 2020 17:46:33 -0400 (EDT)
Date:   Wed, 3 Jun 2020 17:46:33 -0400
From:   Vivek Goyal <vgoyal@redhat.com>
To:     glider@google.com
Cc:     miklos@szeredi.hu, linux-unionfs@vger.kernel.org,
        linux-kernel@vger.kernel.org, keescook@chromium.org,
        royyang@google.com, stable@vger.kernel.org
Subject: Re: [PATCH] ovl: explicitly initialize error in ovl_copy_xattr()
Message-ID: <20200603214633.GF48122@redhat.com>
References: <20200603174714.192027-1-glider@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200603174714.192027-1-glider@google.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Jun 03, 2020 at 07:47:14PM +0200, glider@google.com wrote:
> Under certain circumstances (we found this out running Docker on a
> Clang-built kernel with CONFIG_INIT_STACK_ALL) ovl_copy_xattr() may
> return uninitialized value of |error| from ovl_copy_xattr().

If we are returning uninitialized value of error, doesn't that mean
that somewhere in the function we are returning without setting error.
And that probably means that's a bug and we should fix it?

I am wondering if this is triggered by loop finishing because all
the xattr on the file are ovl_is_private_xattr(). In that case, we
will come out of the loop without setting error. This is in fact
success and we should return 0 instead of some random error?

Thanks
Vivek


> It is then returned by ovl_create() to lookup_open(), which casts it to
> an invalid dentry pointer, that can be further read or written by the
> lookup_open() callers.
> 
> Signed-off-by: Alexander Potapenko <glider@google.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Roy Yang <royyang@google.com>
> Cc: <stable@vger.kernel.org> # 4.1
> 
> ---
> 
> It's unclear to me whether error should be initially 0 or some error
> code (both seem to work), but I thought returning an error makes sense,
> as the situation wasn't anticipated by the code authors.
> 
> The bug seem to date back to at least v4.1 where the annotation has been
> introduced (i.e. the compilers started noticing error could be used
> before being initialized). I hovever didn't try to prove that the
> problem is actually reproducible on such ancient kernels. We've seen it
> on a real machine running v4.4 as well.
> ---
>  fs/overlayfs/copy_up.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
> index 9709cf22cab3..428d43e2d016 100644
> --- a/fs/overlayfs/copy_up.c
> +++ b/fs/overlayfs/copy_up.c
> @@ -47,7 +47,7 @@ int ovl_copy_xattr(struct dentry *old, struct dentry *new)
>  {
>  	ssize_t list_size, size, value_size = 0;
>  	char *buf, *name, *value = NULL;
> -	int uninitialized_var(error);
> +	int error = -EINVAL;
>  	size_t slen;
>  
>  	if (!(old->d_inode->i_opflags & IOP_XATTR) ||
> -- 
> 2.27.0.rc2.251.g90737beb825-goog
>