Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp1154665ybg; Thu, 4 Jun 2020 02:25:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz1SLXcfJIiaLmcIU7HKGtIIT0kotwQ+8sWiW/h17fnFjyoIZGcG8OXLV+eweEfU8zRraTG X-Received: by 2002:a05:6402:14c3:: with SMTP id f3mr3521586edx.341.1591262704254; Thu, 04 Jun 2020 02:25:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591262704; cv=none; d=google.com; s=arc-20160816; b=Z3IspQAkDegf3pZ+HorvU67XbyYOXZTyFOwl52ezrUSyhqBQUYg39MKwN3xqJqJvGt 370M/2R70pSajMG3t/CMwSZGOrI5/rqTEJ5nGPS193J1Caa3ObJ2a8+J94M35AjJSJHa 1lWDZN2RQkwdUmBnPjkWZDnzXQjV/m+T39aJMF6HeMB7Rw9eXmuHmvbIhEzKrjikhMNl b7AqK2VEm5y+UN4BMmCjtOxQmefX4gEbRWsYWZ8If+vLco63SadMumtmtpCHWLbWyP3E zaZVUnh0wLafxRye3uAEB5GiYxTn8SAxRYiFY8rawJDh+XiHWHGckO3X0QJ1NIQf60Ug fR3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=izvjeZntfmRt5pu1JX50kgxBnowsGSvfpbiC2Aiju08=; b=zu6fmdKsTDLNMuRS3ZqOT7IinftiumfTcge1ne1fHecKUmF3kQOl6g+tv/CDV9cUHa /uwNHVJ8YOel6EltkRXrXWaeu6yeN0lHXQuYNTfw+wO/1eTIOl8Kk5RLgZubihSNVzA3 nNcTu3iWt2/t5IWHfOT7frkIEXcZLkphUqjLJYD3M6bblOFiqbkFT4ms8rJbch0U+ysS Cr+chQ1cKqd6oxFGJxyByt9rHf/fkxw6+nh5DnK0pufxr9HiIcV6PbMBv2/rjhEb2VaL NES8ITr+QQVRY0MO70QUX5nKPOIwiYtTlXgKuFyjt97CfycHCF38fwpw8csuQBKOryXl KWpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=dZ+Mq7id; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j93si1222423edb.327.2020.06.04.02.24.40; Thu, 04 Jun 2020 02:25:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=dZ+Mq7id; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728424AbgFDI5h (ORCPT + 99 others); Thu, 4 Jun 2020 04:57:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58444 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728127AbgFDI5g (ORCPT ); Thu, 4 Jun 2020 04:57:36 -0400 Received: from mail-ed1-x543.google.com (mail-ed1-x543.google.com [IPv6:2a00:1450:4864:20::543]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7B9D7C03E96E for ; Thu, 4 Jun 2020 01:57:36 -0700 (PDT) Received: by mail-ed1-x543.google.com with SMTP id p18so4038194eds.7 for ; Thu, 04 Jun 2020 01:57:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=izvjeZntfmRt5pu1JX50kgxBnowsGSvfpbiC2Aiju08=; b=dZ+Mq7idopXp+hDzE7zFqBFyLUZ7EP9eaafDXK/AYtHuglQGqKnKfZcqf3skLKeuWi bt6Os/FC8ApoAMPYzZDQzJlNagYdue5brTxhUzcd8Co1CnwYoQm+m4WABrgSpcPnWIy8 rHUdAg/mRcyHTGimvmyNjETWivcSuEfruD6iM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=izvjeZntfmRt5pu1JX50kgxBnowsGSvfpbiC2Aiju08=; b=jDVe9ppapYD1Vlj64N7JVwLA+yOqPM6xzTQBQWynPzJDzC8ltUJ3S4VbXqu4LLOinC ybp0Kjr4QjazcF0JIc7/75rcAZn3caCnPCgx3Pbydv50ioxO/EVvBA5glAAZbR5M026b jMfKmzhcasNFXl4IPhFsRx/29uSUOnFXjGjMnvXEE2dR3MsjZ5dCattQGQ9vVwYgTBcy WJ1hrc4Go/0HltXB4qm3C8etZVfxpoULT7U0oFK+N0HPpcAbt0UFlgHzymW599wXB0nO mUtqTLvwcRqN6FZRDufU+yqDMvOFjOAIprzfh09f/1uM+W6GL1m6q55eloT5HT+UHNxm Rsog== X-Gm-Message-State: AOAM533JWiVIYtMcCyqtF+f0hyZAdXmAl5v71dqFNmLuE2mlF+d8aWpQ wHC1G/o+QJs46nibeZ60nxHarRtQGwT5pMagbp9MQAqluhkLLw== X-Received: by 2002:a05:6402:17f9:: with SMTP id t25mr3364060edy.134.1591261055268; Thu, 04 Jun 2020 01:57:35 -0700 (PDT) MIME-Version: 1.0 References: <20200604084245.161480-1-glider@google.com> In-Reply-To: <20200604084245.161480-1-glider@google.com> From: Miklos Szeredi Date: Thu, 4 Jun 2020 10:57:24 +0200 Message-ID: Subject: Re: [PATCH] ovl: explicitly initialize error in ovl_copy_xattr() To: Alexander Potapenko Cc: Vivek Goyal , overlayfs , linux-kernel@vger.kernel.org, Kees Cook , royyang@google.com, stable Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 4, 2020 at 10:43 AM wrote: > > Under certain circumstances (we found this out running Docker on a > Clang-built kernel with CONFIG_INIT_STACK_ALL) ovl_copy_xattr() may > return uninitialized value of |error| from ovl_copy_xattr(). > It is then returned by ovl_create() to lookup_open(), which casts it to > an invalid dentry pointer, that can be further read or written by the > lookup_open() callers. > > The uninitialized value is returned when all the xattr on the file > are ovl_is_private_xattr(), which is actually a successful case, > therefore we initialize |error| with 0. > > Signed-off-by: Alexander Potapenko > Cc: Kees Cook > Cc: Roy Yang > Cc: # 4.1 > > --- > > The bug seem to date back to at least v4.1 where the annotation has been > introduced (i.e. the compilers started noticing error could be used > before being initialized). I hovever didn't try to prove that the > problem is actually reproducible on such ancient kernels. We've seen it > on a real machine running v4.4 as well. > > v2: > -- Per Vivek Goyal's suggestion, changed |error| to be 0 Thanks, applied patch posted here (with your signed-off as well, since the patch is the same...): https://lore.kernel.org/linux-unionfs/874ks212uj.fsf@m5Zedd9JOGzJrf0/ Miklos