lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 24 Jan 2011 14:43:53 -0800
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	Jesper Juhl <jj@...osbits.net>
Cc:	Phillip Lougher <phillip@...gher.demon.co.uk>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] SquashFS, XZ: Don't use uninitialized variable in
 squashfs_xz_uncompress

On Thu, 20 Jan 2011 21:53:23 +0100 (CET)
Jesper Juhl <jj@...osbits.net> wrote:

> In fs/squashfs/xz_wrapper.c::squashfs_xz_uncompress() we have this code:
> 
> 	enum xz_ret xz_err;
> 	...
> 	do {
> 		if (stream->buf.in_pos == stream->buf.in_size && k < b) {
> 		... [nothing that assigns to 'xz_err'] ...
> 			if (avail == 0) {
> 				offset = 0;
> 				put_bh(bh[k++]);
> 				continue;
> 			}
> 		...
> 	} while (xz_err == XZ_OK);
> 
> If we hit that 'continue' statement the first time through, then the 
> 'while' condition will be testing an uninitialized 'xz_err' - not what we 
> want.
> 
> This patch should take care of the problem by making sure that 'xz_err' is 
> initialized to 'XZ_OK' at the start of the function.
> 
> Signed-off-by: Jesper Juhl <jj@...osbits.net>
> ---
>  xz_wrapper.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
>   compile tested only.
> 
> diff --git a/fs/squashfs/xz_wrapper.c b/fs/squashfs/xz_wrapper.c
> index 856756c..daf76c3 100644
> --- a/fs/squashfs/xz_wrapper.c
> +++ b/fs/squashfs/xz_wrapper.c
> @@ -74,7 +74,7 @@ static int squashfs_xz_uncompress(struct squashfs_sb_info *msblk, void **buffer,
>  	struct buffer_head **bh, int b, int offset, int length, int srclength,
>  	int pages)
>  {
> -	enum xz_ret xz_err;
> +	enum xz_ret xz_err = XZ_OK;
>  	int avail, total = 0, k = 0, page = 0;
>  	struct squashfs_xz *stream = msblk->stream;
>  

hm, maybe.  The handling of the `avail == 0' case looks odd.  It sits
there in a loop doing wait_on_buffer() against buffers which it will
never use and possible reporting -EIO for a buffer which it didn't use,
which seems bogus.

Phillip, please check?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ