From patchwork Thu Apr 6 21:18:21 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9668473 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 4126F602B3 for ; Thu, 6 Apr 2017 21:21:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7C8F0285CF for ; Thu, 6 Apr 2017 21:21:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 70760285E9; Thu, 6 Apr 2017 21:21:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 89A85285CF for ; Thu, 6 Apr 2017 21:21:33 +0000 (UTC) Received: (qmail 32753 invoked by uid 550); 6 Apr 2017 21:19:45 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 28648 invoked from network); 6 Apr 2017 21:19:17 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=6fkRl9E7OYnIuOe98pdg5Fr2qYCthUWeZK49lk6CNwY=; b=SM4WLgK2MHy1aAXZzyo4bEprrLAuUcKHhqHiYawfTWajfwLq8la5niiBNMsQpjxmfC HfhB+pueAjuSQ0om7Wc48zF2eEtor7I5Z0aizDZjCeQNBlyJ5AvfYABB5Vn3ar7uvNGF sR+ZdiLd5KPmv2/nmy/rlRg3zA+dRKiSZio5w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=6fkRl9E7OYnIuOe98pdg5Fr2qYCthUWeZK49lk6CNwY=; b=QuY9oGiZzjK2kKK9IHKween+3UaynF92/3/D1tLA4y2mnplzBCyQTMPYtQjl91VDbz quvqfmtzBYiS7BNX8nmbkROWuhGRDEChMve/ig9O2rEujhySapq1mcfUtYW7HFRzrnZ5 KPeXJkhCAJkxAStsinoAQArbT/dyDRmcudX5JHa9oIEAYIgmoN84QRWIrUJsGQNyPr6U VAIUyhN3y+tQJ8GCIT/9tB9NRf52tMF0CCAg0E8LOiIm+rJSeUqJrdP9HZJkxkm08yTi eSJIAml1wtl+JtnaYermZ/3WsTVaNaRJAY+CI+c3xV+3Q9ihbcwu7FqBGl3C9pVY2EMZ C9wA== X-Gm-Message-State: AFeK/H3Sotp/HBBjkfw4Vq8wSAAtsctw8PFFyvQMS22cL9IIIVQs/5UgO8BbUBtyZEcUb1a2 X-Received: by 10.98.87.1 with SMTP id l1mr37184474pfb.92.1491513545893; Thu, 06 Apr 2017 14:19:05 -0700 (PDT) From: Kees Cook To: kernel-hardening@lists.openwall.com Cc: Kees Cook , Michael Leibowitz Date: Thu, 6 Apr 2017 14:18:21 -0700 Message-Id: <1491513513-84351-7-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1491513513-84351-1-git-send-email-keescook@chromium.org> References: <1491513513-84351-1-git-send-email-keescook@chromium.org> Subject: [kernel-hardening] [PATCH 06/18] NFS: Avoid cross-structure casting X-Virus-Scanned: ClamAV using ClamSMTP When the call to nfs_devname() fails, the error path attempts to retain the error via the mnt variable, but this requires a cast across very different types (char * to struct vfsmount *), which the upcoming structure layout randomization plugin flags as being potentially dangerous in the face of randomization. This is a false positive, but what this code actually wants to do is retain the error value, so this patch explicitly sets it, instead of using what seems to be an unexpected cast. Signed-off-by: Kees Cook --- fs/nfs/namespace.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c index 786f17580582..8ca5d147124d 100644 --- a/fs/nfs/namespace.c +++ b/fs/nfs/namespace.c @@ -259,9 +259,10 @@ struct vfsmount *nfs_do_submount(struct dentry *dentry, struct nfs_fh *fh, if (page == NULL) goto out; devname = nfs_devname(dentry, page, PAGE_SIZE); - mnt = (struct vfsmount *)devname; - if (IS_ERR(devname)) + if (IS_ERR(devname)) { + mnt = ERR_CAST(devname); goto free_page; + } mnt = nfs_do_clone_mount(NFS_SB(dentry->d_sb), devname, &mountdata); free_page: free_page((unsigned long)page);