Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp1996631ybg;
        Fri, 5 Jun 2020 02:57:21 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyyrYI8bTVSydMs5e6I0ykO98YXoWvft8wT8GPdPWlWCqgFe3XL3Lgx99c8MPm+doPIomZo
X-Received: by 2002:a17:907:33ce:: with SMTP id zk14mr7814259ejb.2.1591351040887;
        Fri, 05 Jun 2020 02:57:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1591351040; cv=none;
        d=google.com; s=arc-20160816;
        b=GV0sO+ypsWMZ42WPOc2DhnR19mYG/paFbv/A1qVagC+aHBdh6gn3ZrlgNTLbMATYaW
         TjH6b4IvEZrJH9dOPrzxqkG0NA1THP+bPW6Gaxwc9mDD5BUWyTCDvvFGj1Jb8bx0tA5M
         cdjGjngCjzac0/qSV3+O2K6fnvDysNqYh2e9apbjAqbInGhU2KhyV1UE+hYEDatd1Fnb
         stV1bAG3cKQR+h73AgM1UwimRPSYw0o/PD3sB8HPHIMJMi2NtT2PrLvVlyBc+6KgYUpH
         d1TyagjVh9CdAg0VBtlF7ad9r7wSfz7gpcY7Vsdt5kGMRuMThyW9I+ia0v4L8pgf9Rl5
         xy5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=kQ16o+qUwgYcoh0hZifP35qFFRDEvSaPDsLpEh1ikCk=;
        b=GCJkpxo22+AMDWUbTIbQk9GIgh/NLZvcHYYXCkLGDD2PhdFdWMnJyNqAxcElSsHKsa
         u05HWo6Q+IDSrFGcPwHk7fGR06CR+FqYIHamjHqGW8aDAW7KZ0lwqCcZBvlkTPGjyfyx
         bcTC1a9HhrN5bwdBFaIxXBXvKHnODLgm7gqUGeghS97dEOZJPOzWXgs/FF2PitllcoN4
         +rTSj7T4A8Kur0E59HI2d66OMFEY3wAKsr1I5OS3wMvnK3WhM8ggaxUS4dkpOVCMhnlp
         TolQd2JZkwOR3jeoNnQJ0R0n7CdUcHjdIGSwNK7N86pGxa0wb7nkP7MDIhYvCt3owtgz
         sRMw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=rCaoirU7;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id y21si3289693edt.501.2020.06.05.02.56.58;
        Fri, 05 Jun 2020 02:57:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=rCaoirU7;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726413AbgFEJym (ORCPT <rfc822;zffurovfq63@gmail.com>
        + 99 others); Fri, 5 Jun 2020 05:54:42 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35486 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726270AbgFEJym (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 5 Jun 2020 05:54:42 -0400
Received: from mail-ed1-x542.google.com (mail-ed1-x542.google.com [IPv6:2a00:1450:4864:20::542])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 96206C08C5C4
        for <linux-kernel@vger.kernel.org>; Fri,  5 Jun 2020 02:54:40 -0700 (PDT)
Received: by mail-ed1-x542.google.com with SMTP id k8so6974832edq.4
        for <linux-kernel@vger.kernel.org>; Fri, 05 Jun 2020 02:54:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=szeredi.hu; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=kQ16o+qUwgYcoh0hZifP35qFFRDEvSaPDsLpEh1ikCk=;
        b=rCaoirU7A0HN6aBgr2LdE3yr5g17a+UroWILMuXJVVtYCBdmWed1GS8GwUni1Mn4bs
         WiCixcK2FEbDfiqcT5aI8OwT4CDrGCx8TZ3kDHlnVgJ+ErAZ6buF8PeNt5p6EhEJTg76
         RwBhpNX0IUheJeDrz936ea+31jUlqJ1kNQaSM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=kQ16o+qUwgYcoh0hZifP35qFFRDEvSaPDsLpEh1ikCk=;
        b=hnOOxxa5bU8736TXEzBjUaRJuuYd5AKXy9J8h2q7yTdxozxP3jzA9hngKYqkNhsL4g
         dMLNsyMwK5xu3zuevvnhjUOXNdYZoBEFPWVwihNcU+vRlHT9PvQ0kTLWTGhmWmOk1qiu
         KMDBU3+p39TgISCRnb4AhQPcETe+uBBF1788S658qSEbha4w3NCHtWKChxFBcsHj7OJi
         PWyctviMu2oTrvo4GKjWkXWPoZEfLXL1JMQEbpvXs81nVJ5E/qmKlTjZh/mUL01WPihe
         7B45Gr6/cmR7nf22TVPMKQy1T61NLD6wElVOT/Psh9THk9wOzgUZ4TPnCp0NHvPSn7OA
         kG+A==
X-Gm-Message-State: AOAM530B1NrNGYs6QA+kUHvAg67loAvLwJbGAxa4gX+MwyQuN4wB8kGB
        xiYFTRQ445zSBmhi61YmDC7gGeRYiT+ZxXPIkn3ngg==
X-Received: by 2002:aa7:d785:: with SMTP id s5mr8857980edq.17.1591350879015;
 Fri, 05 Jun 2020 02:54:39 -0700 (PDT)
MIME-Version: 1.0
References: <20200604084245.161480-1-glider@google.com> <202006040844.C50B47699@keescook>
In-Reply-To: <202006040844.C50B47699@keescook>
From:   Miklos Szeredi <miklos@szeredi.hu>
Date:   Fri, 5 Jun 2020 11:54:27 +0200
Message-ID: <CAJfpegsNL17k+Yv1-4bmogqjzq-rO9H1xT-+DM2m7qq7oH25MQ@mail.gmail.com>
Subject: Re: [PATCH] ovl: explicitly initialize error in ovl_copy_xattr()
To:     Kees Cook <keescook@chromium.org>
Cc:     Alexander Potapenko <glider@google.com>,
        Vivek Goyal <vgoyal@redhat.com>,
        overlayfs <linux-unionfs@vger.kernel.org>,
        linux-kernel@vger.kernel.org, royyang@google.com,
        stable <stable@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jun 4, 2020 at 5:57 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Thu, Jun 04, 2020 at 10:42:45AM +0200, glider@google.com wrote:
> > Under certain circumstances (we found this out running Docker on a
> > Clang-built kernel with CONFIG_INIT_STACK_ALL) ovl_copy_xattr() may
> > return uninitialized value of |error| from ovl_copy_xattr().
> > It is then returned by ovl_create() to lookup_open(), which casts it to
> > an invalid dentry pointer, that can be further read or written by the
> > lookup_open() callers.
> >
> > The uninitialized value is returned when all the xattr on the file
> > are ovl_is_private_xattr(), which is actually a successful case,
> > therefore we initialize |error| with 0.
> >
> > Signed-off-by: Alexander Potapenko <glider@google.com>
> > Cc: Kees Cook <keescook@chromium.org>
> > Cc: Roy Yang <royyang@google.com>
> > Cc: <stable@vger.kernel.org> # 4.1
>
> Please include a Fixes (more below) and Link tags for details to help
> guide backporting, then you don't need to bother with with "# 4.1",
> the -stable tools will figure it out with a "Fixes" tag.
>
> Thanks for the v2!
>
> Link: https://bugs.chromium.org/p/chromium/issues/detail?id=1050405
> Reviewed-by: Kees Cook <keescook@chromium.org>
>
> > The bug seem to date back to at least v4.1 where the annotation has been
> > introduced (i.e. the compilers started noticing error could be used
> > before being initialized). I hovever didn't try to prove that the
> > problem is actually reproducible on such ancient kernels. We've seen it
> > on a real machine running v4.4 as well.
>
> It seems like it came from this, but that's v4.5:
>
> Fixes: e4ad29fa0d22 ("ovl: use a minimal buffer in ovl_copy_xattr")


I believe it's actually:

Fixes: 0956254a2d5b ("ovl: don't copy up opaqueness")

That patch added the ovl_is_private_xattr() check in ovl_copy_xattr(),
without which 'error' was always initilalized.

Thanks,
Miklos