lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Wed, 13 Jul 2022 17:33:30 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     kbuild@...ts.01.org, Scott Mayhew <smayhew@...hat.com>,
        Arnd Bergmann <arnd@...db.de>
Cc:     lkp@...el.com, kbuild-all@...ts.01.org,
        linux-kernel@...r.kernel.org,
        "J. Bruce Fields" <bfields@...hat.com>
Subject: fs/nfsd/nfs4recover.c:814 __cld_pipe_inprogress_downcall() error:
 uninitialized symbol 'princhashlen'.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   b047602d579b4fb028128a525f056bbdc890e7f0
commit: a97b693c3712f040c5802f32b2d685352e08cefa uaccess: fix nios2 and microblaze get_user_8()
config: nios2-randconfig-m031-20220712 (https://download.01.org/0day-ci/archive/20220713/202207132125.6mLS6KnE-lkp@intel.com/config)
compiler: nios2-linux-gcc (GCC) 11.3.0

If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>

New smatch warnings:
fs/nfsd/nfs4recover.c:814 __cld_pipe_inprogress_downcall() error: uninitialized symbol 'princhashlen'.

vim +/princhashlen +814 fs/nfsd/nfs4recover.c

74725959c33c141 Scott Mayhew 2019-03-26  789  static ssize_t
6ee95d1c899186c Scott Mayhew 2019-09-09  790  __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
74725959c33c141 Scott Mayhew 2019-03-26  791  		struct nfsd_net *nn)
74725959c33c141 Scott Mayhew 2019-03-26  792  {
6ee95d1c899186c Scott Mayhew 2019-09-09  793  	uint8_t cmd, princhashlen;
6ee95d1c899186c Scott Mayhew 2019-09-09  794  	struct xdr_netobj name, princhash = { .len = 0, .data = NULL };
74725959c33c141 Scott Mayhew 2019-03-26  795  	uint16_t namelen;
8a9f4f41248a4dc Scott Mayhew 2019-03-26  796  	struct cld_net *cn = nn->cld_net;
74725959c33c141 Scott Mayhew 2019-03-26  797  
74725959c33c141 Scott Mayhew 2019-03-26  798  	if (get_user(cmd, &cmsg->cm_cmd)) {
74725959c33c141 Scott Mayhew 2019-03-26  799  		dprintk("%s: error when copying cmd from userspace", __func__);
74725959c33c141 Scott Mayhew 2019-03-26  800  		return -EFAULT;
74725959c33c141 Scott Mayhew 2019-03-26  801  	}
74725959c33c141 Scott Mayhew 2019-03-26  802  	if (cmd == Cld_GraceStart) {
6ee95d1c899186c Scott Mayhew 2019-09-09  803  		if (nn->client_tracking_ops->version >= 2) {
6ee95d1c899186c Scott Mayhew 2019-09-09  804  			const struct cld_clntinfo __user *ci;
6ee95d1c899186c Scott Mayhew 2019-09-09  805  
6ee95d1c899186c Scott Mayhew 2019-09-09  806  			ci = &cmsg->cm_u.cm_clntinfo;
6ee95d1c899186c Scott Mayhew 2019-09-09  807  			if (get_user(namelen, &ci->cc_name.cn_len))
6ee95d1c899186c Scott Mayhew 2019-09-09  808  				return -EFAULT;
6ee95d1c899186c Scott Mayhew 2019-09-09  809  			name.data = memdup_user(&ci->cc_name.cn_id, namelen);
6ee95d1c899186c Scott Mayhew 2019-09-09  810  			if (IS_ERR_OR_NULL(name.data))
6ee95d1c899186c Scott Mayhew 2019-09-09  811  				return -EFAULT;
6ee95d1c899186c Scott Mayhew 2019-09-09  812  			name.len = namelen;
6ee95d1c899186c Scott Mayhew 2019-09-09  813  			get_user(princhashlen, &ci->cc_princhash.cp_len);

No error checking on get_user() leads to uninitialized variable bug.

It's weird that we're only just now catching a 2019 bug but I guess
the "uaccess: fix nios2 and microblaze get_user_8()" patch makes the
function easy enough for Smatch to parse it on that architecture.  On
x86 it's done in assembly so Smatch doesn't track error paths.

This bug is still present upstream.

6ee95d1c899186c Scott Mayhew 2019-09-09 @814  			if (princhashlen > 0) {
6ee95d1c899186c Scott Mayhew 2019-09-09  815  				princhash.data = memdup_user(
6ee95d1c899186c Scott Mayhew 2019-09-09  816  						&ci->cc_princhash.cp_data,
6ee95d1c899186c Scott Mayhew 2019-09-09  817  						princhashlen);
6ee95d1c899186c Scott Mayhew 2019-09-09  818  				if (IS_ERR_OR_NULL(princhash.data))
6ee95d1c899186c Scott Mayhew 2019-09-09  819  					return -EFAULT;

The memdup_user() function cannot return NULL, btw.  (When a function
returns both a mix of error pointers and NULL that generally means it
is an optional feature like LEDs or power management.  The NULL is not
an error but means that it has been deliberately disabled).

6ee95d1c899186c Scott Mayhew 2019-09-09  820  				princhash.len = princhashlen;
6ee95d1c899186c Scott Mayhew 2019-09-09  821  			} else
6ee95d1c899186c Scott Mayhew 2019-09-09  822  				princhash.len = 0;
6ee95d1c899186c Scott Mayhew 2019-09-09  823  		} else {
6ee95d1c899186c Scott Mayhew 2019-09-09  824  			const struct cld_name __user *cnm;
6ee95d1c899186c Scott Mayhew 2019-09-09  825  
6ee95d1c899186c Scott Mayhew 2019-09-09  826  			cnm = &cmsg->cm_u.cm_name;
6ee95d1c899186c Scott Mayhew 2019-09-09  827  			if (get_user(namelen, &cnm->cn_len))
74725959c33c141 Scott Mayhew 2019-03-26  828  				return -EFAULT;
6ee95d1c899186c Scott Mayhew 2019-09-09  829  			name.data = memdup_user(&cnm->cn_id, namelen);
74725959c33c141 Scott Mayhew 2019-03-26  830  			if (IS_ERR_OR_NULL(name.data))
74725959c33c141 Scott Mayhew 2019-03-26  831  				return -EFAULT;
74725959c33c141 Scott Mayhew 2019-03-26  832  			name.len = namelen;
6ee95d1c899186c Scott Mayhew 2019-09-09  833  		}
8a9f4f41248a4dc Scott Mayhew 2019-03-26  834  		if (name.len > 5 && memcmp(name.data, "hash:", 5) == 0) {
8a9f4f41248a4dc Scott Mayhew 2019-03-26  835  			name.len = name.len - 5;
8a9f4f41248a4dc Scott Mayhew 2019-03-26  836  			memmove(name.data, name.data + 5, name.len);
8a9f4f41248a4dc Scott Mayhew 2019-03-26  837  			cn->cn_has_legacy = true;
8a9f4f41248a4dc Scott Mayhew 2019-03-26  838  		}
6ee95d1c899186c Scott Mayhew 2019-09-09  839  		if (!nfs4_client_to_reclaim(name, princhash, nn)) {
74725959c33c141 Scott Mayhew 2019-03-26  840  			kfree(name.data);
6ee95d1c899186c Scott Mayhew 2019-09-09  841  			kfree(princhash.data);
74725959c33c141 Scott Mayhew 2019-03-26  842  			return -EFAULT;
74725959c33c141 Scott Mayhew 2019-03-26  843  		}
11a60d159259dba Scott Mayhew 2019-09-09  844  		return nn->client_tracking_ops->msglen;
74725959c33c141 Scott Mayhew 2019-03-26  845  	}
74725959c33c141 Scott Mayhew 2019-03-26  846  	return -EFAULT;
74725959c33c141 Scott Mayhew 2019-03-26  847  }

-- 
0-DAY CI Kernel Test Service
https://01.org/lkp

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ