lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAOQ4uxg2Zwuyorw50iKzwbQJO4wD2NfqhE21KPFZrDVMJAYzNQ@mail.gmail.com>
Date: Tue, 27 Jan 2026 12:09:47 +0100
From: Amir Goldstein <amir73il@...il.com>
To: Qing Wang <wangqing7171@...il.com>, Eric Biggers <ebiggers@...nel.org>
Cc: miklos@...redi.hu, linux-kernel@...r.kernel.org, 
	linux-unionfs@...r.kernel.org, 
	syzbot+d130f98b2c265fae5297@...kaller.appspotmail.com, 
	Christian Brauner <brauner@...nel.org>
Subject: Re: [PATCH v2] ovl: Fix uninit-value in ovl_fill_real

On Tue, Jan 27, 2026 at 11:52 AM Qing Wang <wangqing7171@...il.com> wrote:
>
> Syzbot reported a KMSAN uninit-value issue in ovl_fill_real.
>
> This iusse's call chain is:
> __do_sys_getdents64()
>     -> iterate_dir()
>         ...
>             -> ext4_readdir()
>                 -> fscrypt_fname_alloc_buffer() // alloc
>                 -> fscrypt_fname_disk_to_usr // write without tail '\0'
>                 -> dir_emit()
>                     -> ovl_fill_real() // read by strcmp()
>
> The string is used to store the decrypted directory entry name for an
> encrypted inode. As shown in the call chain, fscrypt_fname_disk_to_usr()
> write it wthout null-terminate. However, ovl_fill_real() uses strcmp() to

typo: without

> compare the name against "..", which assumes a null-terminated string and
> may trigger a KMSAN uninit-value warning when the buffer tail contains
> uninit data.
>
> Reported-by: syzbot+d130f98b2c265fae5297@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=d130f98b2c265fae5297
> Fixes: 4edb83bb1041 ("ovl: constant d_ino for non-merge dirs")
> Signed-off-by: Qing Wang <wangqing7171@...il.com>

Reviewed-by: Amir Goldstein <amir73il@...il.com>

> ---
>  fs/overlayfs/readdir.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c
> index 160960bb0ad0..9ea3cd11dd93 100644
> --- a/fs/overlayfs/readdir.c
> +++ b/fs/overlayfs/readdir.c
> @@ -755,7 +755,7 @@ static bool ovl_fill_real(struct dir_context *ctx, const char *name,
>         struct dir_context *orig_ctx = rdt->orig_ctx;
>         bool res;
>
> -       if (rdt->parent_ino && strcmp(name, "..") == 0) {
> +       if (rdt->parent_ino && namelen == 2 && !strncmp(name, "..", namelen)) {
>                 ino = rdt->parent_ino;
>         } else if (rdt->cache) {
>                 struct ovl_cache_entry *p;
> --
> 2.34.1
>

Eric,

Considering that fscrypt_fname_alloc_buffer() anyway allocates the byte for NUL
termination and that decrypted names are zero padded (right?).

How about reinforcing this fix with:

diff --git a/fs/crypto/fname.c b/fs/crypto/fname.c
index a9a4432d12ba1..97e00af49bb9f 100644
--- a/fs/crypto/fname.c
+++ b/fs/crypto/fname.c
@@ -276,6 +276,7 @@ int fscrypt_fname_disk_to_usr(const struct inode *inode,
        if (fscrypt_is_dot_dotdot(&qname)) {
                oname->name[0] = '.';
                oname->name[iname->len - 1] = '.';
+               oname->name[iname->len] = 0;
                oname->len = iname->len;
                return 0;
        }

Thanks,
Amir.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ