svn commit: r347066 - in head: sbin/fsck_ffs sys/ufs/ufs

Conrad Meyer cem at freebsd.org
Wed May 8 01:07:15 UTC 2019 

Hi Kirk,

Coverity points out that namlen may be used uninitialized in the
following sequence (CID 1401317):

On Fri, May 3, 2019 at 2:54 PM Kirk McKusick <mckusick at freebsd.org> wrote:
>
> Author: mckusick
> Date: Fri May  3 21:54:14 2019
> New Revision: 347066
> URL: https://svnweb.freebsd.org/changeset/base/347066
>
> Log:
>   This update eliminates a kernel stack disclosure bug in UFS/FFS
>   directory entries that is caused by uninitialized directory entry
>   padding written to the disk.
> ...
> --- head/sbin/fsck_ffs/dir.c    Fri May  3 21:48:42 2019        (r347065)
> +++ head/sbin/fsck_ffs/dir.c    Fri May  3 21:54:14 2019        (r347066)
> ...
> @@ -209,15 +230,39 @@ dircheck(struct inodesc *idesc, struct direct *dp)
>         char *cp;
>         u_char type;
>         u_int8_t namlen;
> -       int spaceleft;
> +       int spaceleft, modified, unused;
>
> +       modified = 0;
>         spaceleft = DIRBLKSIZ - (idesc->id_loc % DIRBLKSIZ);
>         if (dp->d_reclen == 0 ||
>             dp->d_reclen > spaceleft ||
> -           (dp->d_reclen & 0x3) != 0)
> +           (dp->d_reclen & (DIR_ROUNDUP - 1)) != 0)
>                 goto bad;
> -       if (dp->d_ino == 0)
> -               return (1);
> +       if (dp->d_ino == 0) {

In this case, namlen may never be initialized.

> +               /*
> +                * Special case of an unused directory entry. Normally
> +                * the kernel would coalesce unused space with the previous
> +                * entry by extending its d_reclen, but there are situations
> +                * (e.g. fsck) where that doesn't occur.
> +                * If we're clearing out directory cruft (-z flag), then make
> +                * sure this entry gets fully cleared as well.
> +                */
> +               if (zflag && fswritefd >= 0) {
> +                       if (dp->d_type != 0) {
> +                               dp->d_type = 0;
> +                               modified = 1;
> +                       }
> +                       if (dp->d_namlen != 0) {
> +                               dp->d_namlen = 0;
> +                               modified = 1;
> +                       }
> +                       if (dp->d_name[0] != '\0') {
> +                               dp->d_name[0] = '\0';
> +                               modified = 1;
> +                       }
> +               }
> +               goto good;

Then we jump 'good'.

> +       }
>         size = DIRSIZ(0, dp);
>         namlen = dp->d_namlen;
>         type = dp->d_type;
> @@ -231,7 +276,37 @@ dircheck(struct inodesc *idesc, struct direct *dp)
>                         goto bad;
>         if (*cp != '\0')
>                 goto bad;
> +
> +good:
> +       if (zflag && fswritefd >= 0) {
> +               /*
> +                * Clear unused directory entry space, including the d_name
> +                * padding.
> +                */
> +               /* First figure the number of pad bytes. */
> +               unused = roundup2(namlen + 1, DIR_ROUNDUP) - (namlen + 1);

And here we access uninitialized 'namlen'.

Best,
Conrad

More information about the svn-src-head mailing list