| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 9 Sep 2020 21:40:28 +0100
From: Alex Dewar <alex.dewar90@...il.com>
To: Dan Carpenter <dan.carpenter@...cle.com>
Cc: devel@...verdev.osuosl.org,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel@...r.kernel.org,
Sakari Ailus <sakari.ailus@...ux.intel.com>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
linux-media@...r.kernel.org
Subject: Re: [PATCH] staging: media: atomisp: Use kvfree_sensitive in a few
places
On 2020-09-09 21:06, Dan Carpenter wrote:
> On Wed, Sep 09, 2020 at 08:53:50PM +0100, Alex Dewar wrote:
>> In the file pci/sh_css_params.c, there are a number of places where
>> memset+kvfree is used, where kvfree_sensitive could be used instead. Fix
>> these occurrences.
> This doesn't say *why* the commit is doing it. There are two reasons:
> The worry with these is that the compiler could optimize away the memset
> because it sees the kfree(). Second using kvfree_sensitive() is more
> clear and readable.
Good point :)
>
>> Issue identified with Coccinelle.
>>
>> Signed-off-by: Alex Dewar <alex.dewar90@...il.com>
>> ---
>> .../staging/media/atomisp/pci/sh_css_params.c | 19 +++++++------------
>> 1 file changed, 7 insertions(+), 12 deletions(-)
>>
>> diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/staging/media/atomisp/pci/sh_css_params.c
>> index 2c67c23b3700..d1b5d6608d52 100644
>> --- a/drivers/staging/media/atomisp/pci/sh_css_params.c
>> +++ b/drivers/staging/media/atomisp/pci/sh_css_params.c
>> @@ -4378,8 +4378,7 @@ ia_css_3a_statistics_free(struct ia_css_3a_statistics *me)
>> if (me) {
>> kvfree(me->rgby_data);
>> kvfree(me->data);
>> - memset(me, 0, sizeof(struct ia_css_3a_statistics));
>> - kvfree(me);
>> + kvfree_sensitive(me, sizeof(struct ia_css_3a_statistics));
> I don't think ia_css_3a_statistics are sensitive at all. What we're
> trying to protect are things like passwords. Just delete the memset.
>
> Looking below, I don't think any of these are sensitive so just delete
> all the memsets.
This makes sense. I'll send a new patch. Thanks for the feedback!
Alex
>
> regards,
> dan carpenter
>
Powered by blists - more mailing lists