lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 25 Jan 2011 18:09:04 +0100
From:	Geert Uytterhoeven <geert@...ux-m68k.org>
To:	Phillip Lougher <phillip@...gher.demon.co.uk>
Cc:	Linux Kernel Development <linux-kernel@...r.kernel.org>,
	Jesper Juhl <jj@...osbits.net>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH] Squashfs: Fix use of uninitialised variable in zlib & xz decompressors

On Tue, Jan 25, 2011 at 02:33, Phillip Lougher
<phillip@...gher.demon.co.uk> wrote:
> Fix potential use of uninitialised variable caused by recent decompressor
> code optimisations.
>
> In zlib_uncompress (zlib_wrapper.c) we have
>
>        int zlib_err, zlib_init = 0;
>        ...
>        do {
>                ...
>                        if (avail == 0) {
>                                offset = 0;
>                                put_bh(bh[k++]);
>                                continue;
>                        }
>                ...
>                zlib_err = zlib_inflate(stream, Z_SYNC_FLUSH);
>                ...
>        } while (zlib_err == Z_OK);
>
> If continue is executed (avail == 0) then the while condition will be
> evaluated testing zlib_err, which is uninitialised first time around the
> loop.
>
> Fix this by getting rid of the 'if (avail == 0)' condition test, this
> edge condition should not be being handled in the decompressor code, and
> instead handle it generically in the caller code.
>
> Similarly for xz_wrapper.c.
>
> Incidentally, on most architectures (bar Mips and Parisc), no
> uninitialised variable warning is generated by gcc, this is because
> the while condition test on continue is optimised out and not performed
> (when executing continue zlib_err has not been changed since entering the
> loop, and logically if the while condition was true previously, then it's
> still true).

As this is a "do { ... } while (...);" construct and not a "while
(...) { ... }" construct,
the condition is not checked before doing the first iteration. Furthermore the
"continue" may happen during the first iteration (this depends on parameters
passed to the function), so the compiler cannot make any assumptions about the
value of zlib_err, except that may be uninitialized.

Gr{oetje,eeting}s,

                        Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@...ux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ