Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2025928pxk; Sat, 19 Sep 2020 09:59:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwkeMQBIS7ha7UIPyaNmgHpkFIfo92yu97qFGTpQqs6kjiI90dM4exlIjveY05/YXHaEo5U X-Received: by 2002:a17:906:692:: with SMTP id u18mr41337666ejb.43.1600534795808; Sat, 19 Sep 2020 09:59:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600534795; cv=none; d=google.com; s=arc-20160816; b=RnWMFIxZgoVHVoT6IotnxayY94RClR0kv3BA+X3GMKmdGJTPcLFfZ+LvCizz9jUZNZ Iz6ZmVk3ZGI/IHvGbjogxY99KfFdfwCNqXEfNC8mqC4RUULT3QWp9/XRxGF5Csu28yC9 Oxj6UxGWDLOC9uCrZProjiqaHbWwd0Rkm1lLZOhv2Hk09rvv8Ue/oZGCtEMR0la5vi5O Po2oMLyUGBpUqgV+fcBwkOtiaY9erCjq1YawjkyNdK+/SJmx9pKce9BZMfarj6bf6I6f uH5Qt2IfO2iv5zRIj7rvCeo/USf52QxZCFsL7gvNFwA8QGzDNbkztwi148KSWvvhw/SH WQDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=MFNXawscRwAgMscdC7cYrg9IdE/Gaj7xVXSR6sod0H8=; b=D6Rn2dEZAEqbvcoGpJzlV7D7ceMcnurWqAbuCgdgzzs7u7uUrYgTa+DddpiSUM0bz0 3UvGPbjEUXWO9x66rCDtYSev7m2NBGv0Jy34d8gPtWpotzK8nzD0OnkLcuILqRRyPpgE 17CbTQ2+2vLbIiBCedVjJD6gdjEvs8fE2hWyD9MoAUo/bBzR5O9wxMR535xRJJCxDays 6ikXINAX4BbH6b9MaByYcbOXUjM1bRbuy/GriTWXaJuZhN13otEY74s0vRdWjnWYvdfn N1HNrFBFhDThW2XbLmpwbK4mG54g9PaYH/fmjaQXt4ByjIE+HAi06qIefv02jjR2km8U Apbw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b36si4755748edf.526.2020.09.19.09.59.08; Sat, 19 Sep 2020 09:59:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726567AbgISQ4G (ORCPT + 99 others); Sat, 19 Sep 2020 12:56:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47192 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726408AbgISQ4E (ORCPT ); Sat, 19 Sep 2020 12:56:04 -0400 Received: from ZenIV.linux.org.uk (zeniv.linux.org.uk [IPv6:2002:c35c:fd02::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 66BBEC0613CE; Sat, 19 Sep 2020 09:56:03 -0700 (PDT) Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kJg9W-001qS2-2o; Sat, 19 Sep 2020 16:55:58 +0000 Date: Sat, 19 Sep 2020 17:55:58 +0100 From: Al Viro To: Greg KH Cc: Eric Biggers , linux-fsdevel@vger.kernel.org, Anant Thazhemadam , linux-kernel-mentees@lists.linuxfoundation.org, syzbot+4191a44ad556eacc1a7a@syzkaller.appspotmail.com, linux-kernel@vger.kernel.org Subject: Re: [Linux-kernel-mentees] [PATCH] fs: fix KMSAN uninit-value bug by initializing nd in do_file_open_root Message-ID: <20200919165558.GH3421308@ZenIV.linux.org.uk> References: <20200916052657.18683-1-anant.thazhemadam@gmail.com> <20200916054157.GC825@sol.localdomain> <20200917002238.GO3421308@ZenIV.linux.org.uk> <20200919144451.GF2712238@kroah.com> <20200919161727.GG3421308@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200919161727.GG3421308@ZenIV.linux.org.uk> Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Sep 19, 2020 at 05:17:27PM +0100, Al Viro wrote: > Lovely... That would get an empty path and non-directory for a starting > point, but it should end up with LAST_ROOT in nd->last_type. Which should > not be able to reach the readers of those fields... Which kernel had > that been on? Yecchhh... I see what's going on; I suspect that this ought to be enough. Folks, could somebody test it on the original reproducer setup? diff --git a/fs/namei.c b/fs/namei.c index e99e2a9da0f7..3f02cae7e73f 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -2113,8 +2113,10 @@ static int link_path_walk(const char *name, struct nameidata *nd) return PTR_ERR(name); while (*name=='/') name++; - if (!*name) + if (!*name) { + nd->dir_mode = 0; // short-circuit the 'hardening' idiocy return 0; + } /* At this point we know we have a real path component. */ for(;;) {