Hi,
static analysis with Coverity has detected a potential issue with the
following commit:
commit 8336af9ab8c5d64a309cbf72648054af61548899
Author: Kees Cook <keesc...@chromium.org>
Date: Wed Jun 10 08:46:58 2020 -0700
fs: Expand __fd_install_received() to accept fd
Calling __fd_install_received() with fd >= 0 and ufd being non-null will
cause a put_user of an uninitialized new_fd hence potentially leaking
data on the stack back to the user.
static analysis is as follows:
1050 int __fd_install_received(int fd, struct file *file, int __user *ufd,
1051 unsigned int o_flags)
1052 {
1053 struct socket *sock;
1. var_decl: Declaring variable new_fd without initializer.
1054 int new_fd;
1055 int error;
1056
1057 error = security_file_receive(file);
2. Condition error, taking false branch.
1058 if (error)
1059 return error;
1060
3. Condition fd < 0, taking false branch.
1061 if (fd < 0) {
1062 new_fd = get_unused_fd_flags(o_flags);
1063 if (new_fd < 0)
1064 return new_fd;
1065 }
1066
4. Condition ufd, taking true branch.
1067 if (ufd) {
CID: Uninitialized scalar variable (UNINIT)5. uninit_use: Using
uninitialized value new_fd.
1068 error = put_user(new_fd, ufd);
Colin
