From: Aristeu Rozanski <aris@redhat.com>
To: Sasha Levin <levinsasha928@gmail.com>
Cc: tj@kernel.org, dan.carpenter@oracle.com, fengguang.wu@intel.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] Revert "xattr: mark variable as uninitialized to make both gcc and smatch happy"
Date: Fri, 14 Sep 2012 16:05:57 -0400 [thread overview]
Message-ID: <20120914200557.GP19694@redhat.com> (raw)
In-Reply-To: <1347651354-16289-1-git-send-email-levinsasha928@gmail.com>
Sasha,
On Fri, Sep 14, 2012 at 09:35:53PM +0200, Sasha Levin wrote:
> This reverts commit 0142145ddb1d6c841be4eae2c7a32dd18ad34b24.
>
> Short version:
>
> Not initializing 'new_xattr' at the beginning of __simple_xattr_set() may lead to
> dereferencing it later on in the function.
>
>
> Long version:
>
> The fix for the warnings generated by smatch due to 'new_xattr' being dereferenced
> without a check from being non-NULL is incorrect.
>
> The problem is that the fix removed initialization of new_xattr with NULL, which
> meant that new_xattr could be anything at the beginning of __simple_xattr_set(),
> and might have not been initialized at any point throughout the function.
>
> In case new_xattr does get left uninitialized ('value == 0' case) and XATTR_REPLACE
> being set, the fix will actually lead us to dereferencing new_xattr even if we wouldn't
> have done so before.
>
> Why? Looking at the original code:
>
> if (flags & XATTR_REPLACE) {
> xattr = new_xattr;
> err = -ENODATA;
> } else if (new_xattr) {
> list_add(&new_xattr->list, &xattrs->head);
> xattr = NULL;
> }
> out:
> spin_unlock(&xattrs->lock);
> if (xattr) {
> kfree(xattr->name);
> kfree(xattr);
> }
> return err;
not to mention this:
list_for_each_entry(xattr, &xattrs->head, list) {
if (!strcmp(name, xattr->name)) {
if (flags & XATTR_CREATE) {
xattr = new_xattr;
err = -EEXIST;
} else if (new_xattr) {
list_replace(&xattr->list, &new_xattr->list);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
} else {
list_del(&xattr->list);
}
goto out;
}
}
Good catch.
--
Aristeu
next prev parent reply other threads:[~2012-09-14 20:06 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-14 19:35 [PATCH 1/2] Revert "xattr: mark variable as uninitialized to make both gcc and smatch happy" Sasha Levin
2012-09-14 19:35 ` [PATCH 2/2] xattr: prevent NULL ptr deref warnings in __simple_xattr_set Sasha Levin
2012-09-14 20:54 ` Tejun Heo
2012-09-14 20:55 ` Tejun Heo
2012-09-14 20:58 ` Aristeu Rozanski
2012-10-09 18:52 ` Sasha Levin
2012-10-15 13:16 ` Aristeu Rozanski
2012-09-14 20:05 ` Aristeu Rozanski [this message]
2012-09-15 12:43 ` [PATCH 1/2] Revert "xattr: mark variable as uninitialized to make both gcc and smatch happy" Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120914200557.GP19694@redhat.com \
--to=aris@redhat.com \
--cc=dan.carpenter@oracle.com \
--cc=fengguang.wu@intel.com \
--cc=levinsasha928@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.