Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp999789ybt;
        Fri, 19 Jun 2020 21:08:08 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxmZLYAVEqWp0+91tgIwYNlWbvjXDnQN6fzITg6USvGsC6pLxDWR5GOChT66aonhhvzTa1q
X-Received: by 2002:a50:cd56:: with SMTP id d22mr6278548edj.374.1592626088076;
        Fri, 19 Jun 2020 21:08:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1592626088; cv=none;
        d=google.com; s=arc-20160816;
        b=l1Z9l5saffEF8kssNys3D2H2/1hkfvPx38GfUxZn2ZRuONFwHCSvjrBqoBndTx+pvT
         VVD07vCgeOXQPzacAPxOCbJDsi/cncAy1dMQzwSf7R3UNd4hbOGb917PUBJ6eGz8n24s
         8MELZ8ksKIJtAQwd64M/JK2Ndc9jI8Tp7s6iugFiqqnv81TllO2eT7yq3TIt4Wto/uNf
         TKeC+le1Q5DsS0e2VOVKWulz4ImKL1I/oPsRoxTujE4BmxFTIx99bMjzpTnKK3Zezau2
         dZTq5M4QxqVx0w2/7fj8zVTpQOF4FuWrhQtjPNt4ImB2RwCtgchhRliPmEXCC7aMYSQJ
         Aa7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=LrovfoObN4w9uuZ2lXn2KzXv7HV+icKw6pYKVrf6HWA=;
        b=nR621j37hUK1VSaNjKp82hL7PqYhjtop4W9KthcOF0wKqVSMMLOFgdTac/HN+LK3yQ
         uAkD89XtrjhmfetIdPetuMoMc6oJPbriIG4ZwXp3oums3qtf5ZE3hS3aQtaF4rk4kqCL
         y6TvGFmUYcUQWOPXLqwHCzFz0GFQ+xo3H8XcbcupsEdx44GfZZz1z33Z7/ajQoYDveZy
         B/hKeD4Nex0Baaxzg8ZcgBXza1c23liMS3J49YA4uky1SHs7pUBNM+/QCQ1b2MvJaz2+
         MSghBxjKF7F/Go+ifLNnIwuE+VdtjeZA60dbWXDpcCnrh6KnYbCUHc0PhyFdcnhbzqZc
         yn6w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=y0q+ePDe;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id o20si4771021eju.673.2020.06.19.21.07.46;
        Fri, 19 Jun 2020 21:08:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=y0q+ePDe;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2405736AbgFSQsC (ORCPT <rfc822;jaegeuk-test@gmail.com>
        + 99 others); Fri, 19 Jun 2020 12:48:02 -0400
Received: from mail.kernel.org ([198.145.29.99]:59070 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2388182AbgFSOkx (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 Jun 2020 10:40:53 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id ED6082070A;
        Fri, 19 Jun 2020 14:40:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1592577653;
        bh=an4Pmc8XjI0h6GPlpDzwEw973xGTuUCS6+ncmNpufzk=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=y0q+ePDeZ7Vh7wAN5dfHjR4ieo+kTn6V3xKGzzxTED+ignRxOVkqx78R2kKWMYal8
         use+BkqX3FnegCdVUdPyzFajqXFFYjvHuMzYowfNvYLCPDI5zDdffF4TJaw6UAqjSV
         32h97YaBjWDn/lRCv07y9w0mmerBUxZLzF3C1yyU=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Yuxuan Shui <yshuiv7@gmail.com>,
        Alexander Potapenko <glider@google.com>,
        Miklos Szeredi <mszeredi@redhat.com>
Subject: [PATCH 4.9 035/128] ovl: initialize error in ovl_copy_xattr
Date:   Fri, 19 Jun 2020 16:32:09 +0200
Message-Id: <20200619141622.053348936@linuxfoundation.org>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20200619141620.148019466@linuxfoundation.org>
References: <20200619141620.148019466@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Yuxuan Shui <yshuiv7@gmail.com>

commit 520da69d265a91c6536c63851cbb8a53946974f0 upstream.

In ovl_copy_xattr, if all the xattrs to be copied are overlayfs private
xattrs, the copy loop will terminate without assigning anything to the
error variable, thus returning an uninitialized value.

If ovl_copy_xattr is called from ovl_clear_empty, this uninitialized error
value is put into a pointer by ERR_PTR(), causing potential invalid memory
accesses down the line.

This commit initialize error with 0. This is the correct value because when
there's no xattr to copy, because all xattrs are private, ovl_copy_xattr
should succeed.

This bug is discovered with the help of INIT_STACK_ALL and clang.

Signed-off-by: Yuxuan Shui <yshuiv7@gmail.com>
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=1050405
Fixes: 0956254a2d5b ("ovl: don't copy up opaqueness")
Cc: stable@vger.kernel.org # v4.8
Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/overlayfs/copy_up.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -56,7 +56,7 @@ int ovl_copy_xattr(struct dentry *old, s
 {
 	ssize_t list_size, size, value_size = 0;
 	char *buf, *name, *value = NULL;
-	int uninitialized_var(error);
+	int error = 0;
 	size_t slen;
 
 	if (!(old->d_inode->i_opflags & IOP_XATTR) ||