[4.14,053/190] ovl: initialize error in ovl_copy_xattr

Message ID	20200619141636.236038789@linuxfoundation.org
State	Superseded
Headers	show Return-Path: <SRS0=CyoZ=AA=vger.kernel.org=stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Yuxuan Shui <yshuiv7@gmail.com>, Alexander Potapenko <glider@google.com>, Miklos Szeredi <mszeredi@redhat.com> Subject: [PATCH 4.14 053/190] ovl: initialize error in ovl_copy_xattr Date: Fri, 19 Jun 2020 16:31:38 +0200 Message-Id: <20200619141636.236038789@linuxfoundation.org> In-Reply-To: <20200619141633.446429600@linuxfoundation.org> References: <20200619141633.446429600@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk
Series	None \| expand [4.14,002/190] vxlan: Avoid infinite loop when suppressing NS messages with invalid options [4.14,003/190] make user_access_begin() do access_ok() [4.14,004/190] Fix acccess_ok() on alpha and SH [4.14,005/190] arch/openrisc: Fix issues with access_ok() [4.14,006/190] x86: uaccess: Inhibit speculation past access_ok() in user_access_begin() [4.14,007/190] lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user() [4.14,011/190] sched/fair: Dont NUMA balance for kthreads [4.14,012/190] Input: synaptics - add a second working PNP_ID for Lenovo T470s [4.14,014/190] powerpc/xive: Clear the page tables for the ESB IO mapping [4.14,019/190] x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs [4.14,021/190] x86/reboot/quirks: Add MacBook6,1 reboot quirk [4.14,023/190] ALSA: es1688: Add the missed snd_card_free() [4.14,026/190] ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile() [4.14,027/190] ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe() [4.14,028/190] ACPI: GED: add support for _Exx / _Lxx handler methods [4.14,031/190] nilfs2: fix null pointer dereference at nilfs_segctor_do_construct() [4.14,032/190] spi: bcm2835aux: Fix controller unregister order [4.14,038/190] KVM: x86: only do L1TF workaround on affected processors [4.14,042/190] x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches. [4.14,043/190] spi: dw: fix possible race condition [4.14,044/190] spi: dw: Fix controller unregister order [4.14,048/190] spi: bcm2835: Fix controller unregister order [4.14,049/190] crypto: virtio: Fix use-after-free in virtio_crypto_skcipher_finalize_req() [4.14,051/190] crypto: virtio: Fix dest length calculation in __virtio_crypto_skcipher_do_req() [4.14,053/190] ovl: initialize error in ovl_copy_xattr [4.14,055/190] video: fbdev: w100fb: Fix a potential double free. [4.14,056/190] KVM: nSVM: fix condition for filtering async PF [4.14,058/190] KVM: nVMX: Consult only the "basic" exit reason when routing nested exit [4.14,061/190] KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts [4.14,062/190] ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx [4.14,064/190] ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb [4.14,067/190] mm/slub: fix a memory leak in sysfs_slab_add() [4.14,068/190] fat: dont allow to mount if the FAT length == 0 [4.14,069/190] perf: Add cond_resched() to task_function_call() [4.14,071/190] mmc: sdhci-msm: Clear tuning done flag while hs400 tuning [4.14,072/190] mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card() [4.14,074/190] xen/pvcalls-back: test for errors when calling backend_connect() [4.14,077/190] crypto: ccp -- dont "select" CONFIG_DMADEVICES [4.14,079/190] objtool: Ignore empty alternatives [4.14,080/190] spi: pxa2xx: Apply CS clk quirk to BXT [4.14,083/190] ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K [4.14,085/190] Bluetooth: Add SCO fallback for invalid LMP parameters error [4.14,088/190] clocksource: dw_apb_timer: Make CPU-affiliation being optional [4.14,090/190] btrfs: do not ignore error from btrfs_next_leaf() when inserting checksums [4.14,091/190] ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE [4.14,093/190] x86/kvm/hyper-v: Explicitly align hcall param for kvm_hyperv_exit [4.14,094/190] net: vmxnet3: fix possible buffer overflow caused by bad DMA value in vmxnet3_get_... [4.14,095/190] staging: android: ion: use vmap instead of vm_map_ram [4.14,097/190] tools api fs: Make xxx__mountpoint() more scalable [4.14,099/190] dt-bindings: display: mediatek: control dpi pins mode to avoid leakage [4.14,100/190] audit: fix a net reference leak in audit_send_reply() [4.14,101/190] media: dvb: return -EREMOTEIO on i2c transfer failure. [4.14,102/190] media: platform: fcp: Set appropriate DMA parameters [4.14,105/190] netfilter: nft_nat: return EOPNOTSUPP if type or flags are not supported [4.14,106/190] net: bcmgenet: set Rx mode before starting netif [4.14,109/190] net: lpc-enet: fix error return code in lpc_mii_init() [4.14,112/190] powerpc/spufs: fix copy_to_user while atomic [4.14,113/190] Crypto/chcr: fix for ccm(aes) failed test [4.14,115/190] mips: cm: Fix an invalid error code of INTVN_*_ERR [4.14,116/190] kgdb: Fix spurious true from in_dbg_master() [4.14,117/190] nvme: refine the Qemu Identify CNS quirk [4.14,118/190] wcn36xx: Fix error handling path in wcn36xx_probe() [4.14,123/190] x86/boot: Correct relocation destination on old linkers [4.14,124/190] mips: MAAR: Use more precise address mask [4.14,127/190] m68k: mac: Dont call via_flush_cache() on Mac IIfx [4.14,128/190] macvlan: Skip loopback packets in RX handler [4.14,132/190] staging: greybus: sdio: Respect the cmd->busy_timeout from the mmc core [4.14,133/190] mmc: via-sdmmc: Respect the cmd->busy_timeout from the mmc core [4.14,135/190] mmc: sdhci-esdhc-imx: fix the mask for tuning start point [4.14,137/190] cpuidle: Fix three reference count leaks [4.14,139/190] string.h: fix incompatibility between FORTIFY_SOURCE and KASAN [4.14,142/190] ima: Fix ima digest hash table key calculation [4.14,143/190] ima: Directly assign the ima_default_policy pointer to ima_rules [4.14,144/190] evm: Fix possible memory leak in evm_calc_hmac_or_hash() [4.14,145/190] ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max [4.14,148/190] PCI: Disable MSI for Freescale Layerscape PCIe RC mode [4.14,150/190] PCI: Avoid FLR for AMD Starship USB 3.0 [4.14,151/190] PCI: Add ACS quirk for iProc PAXB [4.14,154/190] vga_switcheroo: Deduplicate power state tracking [4.14,156/190] PCI: Generalize multi-function power dependency device links [4.14,157/190] PCI: Add ACS quirk for Intel Root Complex Integrated Endpoints [4.14,158/190] PCI: Unify ACS quirk desired vs provided checking [4.14,159/190] btrfs: fix error handling when submitting direct I/O bio [4.14,164/190] e1000e: Relax condition to trigger reset for ME workaround [4.14,165/190] carl9170: remove P2P_GO support [4.14,167/190] b43legacy: Fix case where channel status is corrupted [4.14,170/190] media: ov5640: fix use of destroyed mutex [4.14,172/190] power: vexpress: add suppress_bind_attrs to true [4.14,173/190] pinctrl: samsung: Save/restore eint_mask over suspend for EINT_TYPE GPIOs [4.14,174/190] sparc32: fix register window handling in genregs32_[gs]et() [4.14,175/190] sparc64: fix misuses of access_process_vm() in genregs32_[sg]et() [4.14,181/190] powerpc/64s: Save FSCR to init_task.thread.fscr after feature init [4.14,182/190] kbuild: force to build vmlinux if CONFIG_MODVERSION=y [4.14,185/190] mtd: rawnand: brcmnand: fix hamming oob layout [4.14,186/190] mtd: rawnand: pasemi: Fix the probe error path [4.14,188/190] perf probe: Do not show the skipped events [4.14,189/190] perf probe: Fix to check blacklist address correctly [4.14,190/190] perf symbols: Fix debuginfo search for Ubuntu

Message ID

20200619141636.236038789@linuxfoundation.org

State

Superseded

Headers

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Yuxuan Shui <yshuiv7@gmail.com>,
	Alexander Potapenko <glider@google.com>,
	Miklos Szeredi <mszeredi@redhat.com>
Subject: [PATCH 4.14 053/190] ovl: initialize error in ovl_copy_xattr
Date: Fri, 19 Jun 2020 16:31:38 +0200
Message-Id: <20200619141636.236038789@linuxfoundation.org>
In-Reply-To: <20200619141633.446429600@linuxfoundation.org>
References: <20200619141633.446429600@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
Precedence: bulk

Series

None | expand

Commit Message

Greg Kroah-Hartman June 19, 2020, 2:31 p.m. UTC

From: Yuxuan Shui <yshuiv7@gmail.com>

commit 520da69d265a91c6536c63851cbb8a53946974f0 upstream.

In ovl_copy_xattr, if all the xattrs to be copied are overlayfs private
xattrs, the copy loop will terminate without assigning anything to the
error variable, thus returning an uninitialized value.

If ovl_copy_xattr is called from ovl_clear_empty, this uninitialized error
value is put into a pointer by ERR_PTR(), causing potential invalid memory
accesses down the line.

This commit initialize error with 0. This is the correct value because when
there's no xattr to copy, because all xattrs are private, ovl_copy_xattr
should succeed.

This bug is discovered with the help of INIT_STACK_ALL and clang.

Signed-off-by: Yuxuan Shui <yshuiv7@gmail.com>
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=1050405
Fixes: 0956254a2d5b ("ovl: don't copy up opaqueness")
Cc: stable@vger.kernel.org # v4.8
Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/overlayfs/copy_up.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -59,7 +59,7 @@  int ovl_copy_xattr(struct dentry *old, s
 {
 	ssize_t list_size, size, value_size = 0;
 	char *buf, *name, *value = NULL;
-	int uninitialized_var(error);
+	int error = 0;
 	size_t slen;
 
 	if (!(old->d_inode->i_opflags & IOP_XATTR) ||

[4.14,053/190] ovl: initialize error in ovl_copy_xattr

Commit Message

Patch