From owner-svn-src-all@freebsd.org  Wed May  8 01:07:15 2019
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 361EC1598DCC;
 Wed,  8 May 2019 01:07:15 +0000 (UTC)
 (envelope-from cse.cem@gmail.com)
Received: from mail-it1-f171.google.com (mail-it1-f171.google.com
 [209.85.166.171])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 3DEA784564;
 Wed,  8 May 2019 01:07:14 +0000 (UTC)
 (envelope-from cse.cem@gmail.com)
Received: by mail-it1-f171.google.com with SMTP id m186so1303221itd.4;
 Tue, 07 May 2019 18:07:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:reply-to
 :from:date:message-id:subject:to:cc;
 bh=D6njf2JyUa3+KsopNj2Qvu+rwdhNPlX0LJUCQAZnDHs=;
 b=kAwcwgExvThIFSYA3XvAD8PkqkfNz+YwfaeOiKsG5cDPsMH5aBu4t3Slbq5VZtOb00
 zS2+e4ibQTOCh8CvWtfenS/+v+VDBwAX63LJO6Y6oAichlos8WHHTb0jPG2/Hg/pCHTD
 AdrbEn+ZTylnd1CgvHTjGhp867DueadNWvfZpbdSixfo2Gkir/CnL2jdwrtB1DCpPKsF
 fUy9DVextzros4rf9mOXaB5G2sm/sG8fTIo7aFQw0+emBOVxWKl36VVDFGourmRXNqcj
 NMOgUJtBu8bxtQyXvG+MR4C66R4mafVBzZl8N9FUDfAXTZeRfeRUc786CEPM4fNIFsmQ
 IWyA==
X-Gm-Message-State: APjAAAWsI1+aET9ApoYjcrtiBvlNbaz9+krJk6Sko/0eKGzNhSiVVP+F
 YxXlFkBTw+QMd7WIBfpQJ1PjH35D
X-Google-Smtp-Source: APXvYqxiuoVwBJeOzuwrTcZEjOgURIiOCFM9OpQbAiL9n8pOmyrkKiM1/jRwcAYH89RyxsJ0TAEi2w==
X-Received: by 2002:a24:6416:: with SMTP id t22mr1265639itc.176.1557277632953; 
 Tue, 07 May 2019 18:07:12 -0700 (PDT)
Received: from mail-it1-f176.google.com (mail-it1-f176.google.com.
 [209.85.166.176])
 by smtp.gmail.com with ESMTPSA id m142sm379458itb.31.2019.05.07.18.07.12
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 07 May 2019 18:07:12 -0700 (PDT)
Received: by mail-it1-f176.google.com with SMTP id m186so1303179itd.4;
 Tue, 07 May 2019 18:07:12 -0700 (PDT)
X-Received: by 2002:a05:660c:130f:: with SMTP id
 f15mr1191069itb.166.1557277632375; 
 Tue, 07 May 2019 18:07:12 -0700 (PDT)
MIME-Version: 1.0
References: <201905032154.x43LsFae008760@repo.freebsd.org>
In-Reply-To: <201905032154.x43LsFae008760@repo.freebsd.org>
Reply-To: cem@freebsd.org
From: Conrad Meyer <cem@freebsd.org>
Date: Tue, 7 May 2019 18:07:01 -0700
X-Gmail-Original-Message-ID: <CAG6CVpWhXpjoZPxO4BSCQAcLfgNeqXj_eDOaoo_06HUcAo0krg@mail.gmail.com>
Message-ID: <CAG6CVpWhXpjoZPxO4BSCQAcLfgNeqXj_eDOaoo_06HUcAo0krg@mail.gmail.com>
Subject: Re: svn commit: r347066 - in head: sbin/fsck_ffs sys/ufs/ufs
To: Kirk McKusick <mckusick@freebsd.org>
Cc: src-committers <src-committers@freebsd.org>,
 svn-src-all <svn-src-all@freebsd.org>, 
 svn-src-head <svn-src-head@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 3DEA784564
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
 spf=pass (mx1.freebsd.org: domain of csecem@gmail.com designates
 209.85.166.171 as permitted sender) smtp.mailfrom=csecem@gmail.com
X-Spamd-Result: default: False [-5.51 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 HAS_REPLYTO(0.00)[cem@freebsd.org];
 R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17];
 REPLYTO_ADDR_EQ_FROM(0.00)[]; RCVD_COUNT_THREE(0.00)[4];
 TO_DN_ALL(0.00)[];
 MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com];
 NEURAL_HAM_SHORT(-0.96)[-0.960,0];
 FORGED_SENDER(0.30)[cem@freebsd.org,csecem@gmail.com];
 R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
 FROM_NEQ_ENVFROM(0.00)[cem@freebsd.org,csecem@gmail.com];
 TAGGED_FROM(0.00)[]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; MIME_TRACE(0.00)[0:+];
 FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 RCPT_COUNT_THREE(0.00)[4]; MIME_GOOD(-0.10)[text/plain];
 RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[freebsd.org];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 IP_SCORE(-2.54)[ip: (-6.65), ipnet: 209.85.128.0/17(-3.75), asn: 15169(-2.26),
 country: US(-0.06)]; 
 RCVD_IN_DNSWL_NONE(0.00)[171.166.85.209.list.dnswl.org : 127.0.5.0]
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 01:07:15 -0000

Hi Kirk,

Coverity points out that namlen may be used uninitialized in the
following sequence (CID 1401317):

On Fri, May 3, 2019 at 2:54 PM Kirk McKusick <mckusick@freebsd.org> wrote:
>
> Author: mckusick
> Date: Fri May  3 21:54:14 2019
> New Revision: 347066
> URL: https://svnweb.freebsd.org/changeset/base/347066
>
> Log:
>   This update eliminates a kernel stack disclosure bug in UFS/FFS
>   directory entries that is caused by uninitialized directory entry
>   padding written to the disk.
> ...
> --- head/sbin/fsck_ffs/dir.c    Fri May  3 21:48:42 2019        (r347065)
> +++ head/sbin/fsck_ffs/dir.c    Fri May  3 21:54:14 2019        (r347066)
> ...
> @@ -209,15 +230,39 @@ dircheck(struct inodesc *idesc, struct direct *dp)
>         char *cp;
>         u_char type;
>         u_int8_t namlen;
> -       int spaceleft;
> +       int spaceleft, modified, unused;
>
> +       modified = 0;
>         spaceleft = DIRBLKSIZ - (idesc->id_loc % DIRBLKSIZ);
>         if (dp->d_reclen == 0 ||
>             dp->d_reclen > spaceleft ||
> -           (dp->d_reclen & 0x3) != 0)
> +           (dp->d_reclen & (DIR_ROUNDUP - 1)) != 0)
>                 goto bad;
> -       if (dp->d_ino == 0)
> -               return (1);
> +       if (dp->d_ino == 0) {

In this case, namlen may never be initialized.

> +               /*
> +                * Special case of an unused directory entry. Normally
> +                * the kernel would coalesce unused space with the previous
> +                * entry by extending its d_reclen, but there are situations
> +                * (e.g. fsck) where that doesn't occur.
> +                * If we're clearing out directory cruft (-z flag), then make
> +                * sure this entry gets fully cleared as well.
> +                */
> +               if (zflag && fswritefd >= 0) {
> +                       if (dp->d_type != 0) {
> +                               dp->d_type = 0;
> +                               modified = 1;
> +                       }
> +                       if (dp->d_namlen != 0) {
> +                               dp->d_namlen = 0;
> +                               modified = 1;
> +                       }
> +                       if (dp->d_name[0] != '\0') {
> +                               dp->d_name[0] = '\0';
> +                               modified = 1;
> +                       }
> +               }
> +               goto good;

Then we jump 'good'.

> +       }
>         size = DIRSIZ(0, dp);
>         namlen = dp->d_namlen;
>         type = dp->d_type;
> @@ -231,7 +276,37 @@ dircheck(struct inodesc *idesc, struct direct *dp)
>                         goto bad;
>         if (*cp != '\0')
>                 goto bad;
> +
> +good:
> +       if (zflag && fswritefd >= 0) {
> +               /*
> +                * Clear unused directory entry space, including the d_name
> +                * padding.
> +                */
> +               /* First figure the number of pad bytes. */
> +               unused = roundup2(namlen + 1, DIR_ROUNDUP) - (namlen + 1);

And here we access uninitialized 'namlen'.

Best,
Conrad