Re: [PATCH] Squashfs: Fix use of uninitialised variable in zlib & xz decompressors
From: Geert Uytterhoeven
Date: Tue Jan 25 2011 - 12:09:25 EST
On Tue, Jan 25, 2011 at 02:33, Phillip Lougher
<phillip@xxxxxxxxxxxxxxxxxxx> wrote:
> Fix potential use of uninitialised variable caused by recent decompressor
> code optimisations.
>
> In zlib_uncompress (zlib_wrapper.c) we have
>
> Â Â Â Âint zlib_err, zlib_init = 0;
> Â Â Â Â...
> Â Â Â Âdo {
> Â Â Â Â Â Â Â Â...
> Â Â Â Â Â Â Â Â Â Â Â Âif (avail == 0) {
> Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Âoffset = 0;
> Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Âput_bh(bh[k++]);
> Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Âcontinue;
> Â Â Â Â Â Â Â Â Â Â Â Â}
> Â Â Â Â Â Â Â Â...
> Â Â Â Â Â Â Â Âzlib_err = zlib_inflate(stream, Z_SYNC_FLUSH);
> Â Â Â Â Â Â Â Â...
> Â Â Â Â} while (zlib_err == Z_OK);
>
> If continue is executed (avail == 0) then the while condition will be
> evaluated testing zlib_err, which is uninitialised first time around the
> loop.
>
> Fix this by getting rid of the 'if (avail == 0)' condition test, this
> edge condition should not be being handled in the decompressor code, and
> instead handle it generically in the caller code.
>
> Similarly for xz_wrapper.c.
>
> Incidentally, on most architectures (bar Mips and Parisc), no
> uninitialised variable warning is generated by gcc, this is because
> the while condition test on continue is optimised out and not performed
> (when executing continue zlib_err has not been changed since entering the
> loop, and logically if the while condition was true previously, then it's
> still true).
As this is a "do { ... } while (...);" construct and not a "while
(...) { ... }" construct,
the condition is not checked before doing the first iteration. Furthermore the
"continue" may happen during the first iteration (this depends on parameters
passed to the function), so the compiler cannot make any assumptions about the
value of zlib_err, except that may be uninitialized.
Gr{oetje,eeting}s,
            Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
             Â Â -- Linus Torvalds
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/