On Thu, Jun 4, 2020 at 5:57 PM Kees Cook keescook@chromium.org wrote:
On Thu, Jun 04, 2020 at 10:42:45AM +0200, glider@google.com wrote:
Under certain circumstances (we found this out running Docker on a Clang-built kernel with CONFIG_INIT_STACK_ALL) ovl_copy_xattr() may return uninitialized value of |error| from ovl_copy_xattr(). It is then returned by ovl_create() to lookup_open(), which casts it to an invalid dentry pointer, that can be further read or written by the lookup_open() callers.
The uninitialized value is returned when all the xattr on the file are ovl_is_private_xattr(), which is actually a successful case, therefore we initialize |error| with 0.
Signed-off-by: Alexander Potapenko glider@google.com Cc: Kees Cook keescook@chromium.org Cc: Roy Yang royyang@google.com Cc: stable@vger.kernel.org # 4.1
Please include a Fixes (more below) and Link tags for details to help guide backporting, then you don't need to bother with with "# 4.1", the -stable tools will figure it out with a "Fixes" tag.
Thanks for the v2!
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=1050405 Reviewed-by: Kees Cook keescook@chromium.org
The bug seem to date back to at least v4.1 where the annotation has been introduced (i.e. the compilers started noticing error could be used before being initialized). I hovever didn't try to prove that the problem is actually reproducible on such ancient kernels. We've seen it on a real machine running v4.4 as well.
It seems like it came from this, but that's v4.5:
Fixes: e4ad29fa0d22 ("ovl: use a minimal buffer in ovl_copy_xattr")
I believe it's actually:
Fixes: 0956254a2d5b ("ovl: don't copy up opaqueness")
That patch added the ovl_is_private_xattr() check in ovl_copy_xattr(), without which 'error' was always initilalized.
Thanks, Miklos