Re: [PATCH v2] ovl: Fix uninit-value in ovl_fill_real

Next message: dan.j.williams: "Re: [PATCH RFCv1 1/3] PCI: Allow ATS to be always on for CXL.cache capable devices"
Previous message: kernel test robot: "Re: [PATCH 6/8] perf: add NVIDIA Tegra410 CPU Memory Latency PMU"
In reply to: Amir Goldstein: "Re: [PATCH v2] ovl: Fix uninit-value in ovl_fill_real"
Next in thread: Miklos Szeredi: "Re: [PATCH v2] ovl: Fix uninit-value in ovl_fill_real"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Biggers

Date: Tue Jan 27 2026 - 19:43:55 EST

On Tue, Jan 27, 2026 at 12:09:47PM +0100, Amir Goldstein wrote:
> Eric,
>
> Considering that fscrypt_fname_alloc_buffer() anyway allocates the byte for NUL
> termination and that decrypted names are zero padded (right?).

Only when the length of the original filename isn't already a multiple
of the padding amount, as configured by FSCRYPT_POLICY_FLAGS_PAD_*.

> How about reinforcing this fix with:
>
> diff --git a/fs/crypto/fname.c b/fs/crypto/fname.c
> index a9a4432d12ba1..97e00af49bb9f 100644
> --- a/fs/crypto/fname.c
> +++ b/fs/crypto/fname.c
> @@ -276,6 +276,7 @@ int fscrypt_fname_disk_to_usr(const struct inode *inode,
> if (fscrypt_is_dot_dotdot(&qname)) {
> oname->name[0] = '.';
> oname->name[iname->len - 1] = '.';
> + oname->name[iname->len] = 0;
> oname->len = iname->len;
> return 0;

Do you propose to do the same for all callers of dir_emit() in all
filesystems? It seems not NUL-terminating the name is normal. Just
usually the name is in the pagecache rather than slab memory, which
makes KMSAN not usually notice the out-of-bounds read in overlayfs.

- Eric