lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Wed, 26 Jan 2022 13:16:48 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     kbuild@...ts.01.org, Thomas Gleixner <tglx@...utronix.de>
Cc:     lkp@...el.com, kbuild-all@...ts.01.org,
        linux-kernel@...r.kernel.org, Paolo Bonzini <pbonzini@...hat.com>,
        Jing Liu <jing2.liu@...el.com>,
        Yang Zhong <yang.zhong@...el.com>
Subject: arch/x86/kernel/fpu/xstate.c:1580 fpstate_realloc() warn: variable
 dereferenced before check 'curfps' (see line 1559)

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   dd81e1c7d5fb126e5fbc5c9e334d7b3ec29a16a0
commit: c270ce393dfd700e7510a4579568deeefba954fd x86/fpu: Add guest support to xfd_enable_feature()
config: x86_64-randconfig-m001-20220124 (https://download.01.org/0day-ci/archive/20220125/202201250223.SYDiQopU-lkp@intel.com/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>

New smatch warnings:
arch/x86/kernel/fpu/xstate.c:1580 fpstate_realloc() warn: variable dereferenced before check 'curfps' (see line 1559)

vim +/curfps +1580 arch/x86/kernel/fpu/xstate.c

500afbf645a040 Chang S. Bae    2021-10-21  1517  static int fpstate_realloc(u64 xfeatures, unsigned int ksize,
c270ce393dfd70 Thomas Gleixner 2022-01-05  1518  			   unsigned int usize, struct fpu_guest *guest_fpu)
500afbf645a040 Chang S. Bae    2021-10-21  1519  {
500afbf645a040 Chang S. Bae    2021-10-21  1520  	struct fpu *fpu = &current->thread.fpu;
500afbf645a040 Chang S. Bae    2021-10-21  1521  	struct fpstate *curfps, *newfps = NULL;
500afbf645a040 Chang S. Bae    2021-10-21  1522  	unsigned int fpsize;
c270ce393dfd70 Thomas Gleixner 2022-01-05  1523  	bool in_use;
500afbf645a040 Chang S. Bae    2021-10-21  1524  
500afbf645a040 Chang S. Bae    2021-10-21  1525  	fpsize = ksize + ALIGN(offsetof(struct fpstate, regs), 64);
500afbf645a040 Chang S. Bae    2021-10-21  1526  
500afbf645a040 Chang S. Bae    2021-10-21  1527  	newfps = vzalloc(fpsize);
500afbf645a040 Chang S. Bae    2021-10-21  1528  	if (!newfps)
500afbf645a040 Chang S. Bae    2021-10-21  1529  		return -ENOMEM;
500afbf645a040 Chang S. Bae    2021-10-21  1530  	newfps->size = ksize;
500afbf645a040 Chang S. Bae    2021-10-21  1531  	newfps->user_size = usize;
500afbf645a040 Chang S. Bae    2021-10-21  1532  	newfps->is_valloc = true;
500afbf645a040 Chang S. Bae    2021-10-21  1533  
c270ce393dfd70 Thomas Gleixner 2022-01-05  1534  	/*
c270ce393dfd70 Thomas Gleixner 2022-01-05  1535  	 * When a guest FPU is supplied, use @guest_fpu->fpstate
c270ce393dfd70 Thomas Gleixner 2022-01-05  1536  	 * as reference independent whether it is in use or not.
c270ce393dfd70 Thomas Gleixner 2022-01-05  1537  	 */
c270ce393dfd70 Thomas Gleixner 2022-01-05  1538  	curfps = guest_fpu ? guest_fpu->fpstate : fpu->fpstate;
c270ce393dfd70 Thomas Gleixner 2022-01-05  1539  
c270ce393dfd70 Thomas Gleixner 2022-01-05  1540  	/* Determine whether @curfps is the active fpstate */
c270ce393dfd70 Thomas Gleixner 2022-01-05  1541  	in_use = fpu->fpstate == curfps;
c270ce393dfd70 Thomas Gleixner 2022-01-05  1542  
c270ce393dfd70 Thomas Gleixner 2022-01-05  1543  	if (guest_fpu) {
c270ce393dfd70 Thomas Gleixner 2022-01-05  1544  		newfps->is_guest = true;
c270ce393dfd70 Thomas Gleixner 2022-01-05  1545  		newfps->is_confidential = curfps->is_confidential;
c270ce393dfd70 Thomas Gleixner 2022-01-05  1546  		newfps->in_use = curfps->in_use;
c270ce393dfd70 Thomas Gleixner 2022-01-05  1547  		guest_fpu->xfeatures |= xfeatures;
c270ce393dfd70 Thomas Gleixner 2022-01-05  1548  	}
c270ce393dfd70 Thomas Gleixner 2022-01-05  1549  
500afbf645a040 Chang S. Bae    2021-10-21  1550  	fpregs_lock();
500afbf645a040 Chang S. Bae    2021-10-21  1551  	/*
c270ce393dfd70 Thomas Gleixner 2022-01-05  1552  	 * If @curfps is in use, ensure that the current state is in the
c270ce393dfd70 Thomas Gleixner 2022-01-05  1553  	 * registers before swapping fpstate as that might invalidate it
c270ce393dfd70 Thomas Gleixner 2022-01-05  1554  	 * due to layout changes.
500afbf645a040 Chang S. Bae    2021-10-21  1555  	 */
c270ce393dfd70 Thomas Gleixner 2022-01-05  1556  	if (in_use && test_thread_flag(TIF_NEED_FPU_LOAD))
500afbf645a040 Chang S. Bae    2021-10-21  1557  		fpregs_restore_userregs();
500afbf645a040 Chang S. Bae    2021-10-21  1558  
500afbf645a040 Chang S. Bae    2021-10-21 @1559  	newfps->xfeatures = curfps->xfeatures | xfeatures;
                                                                            ^^^^^^^^^^^^^^^^^
Unchecked dereference

500afbf645a040 Chang S. Bae    2021-10-21  1560  	newfps->user_xfeatures = curfps->user_xfeatures | xfeatures;
500afbf645a040 Chang S. Bae    2021-10-21  1561  	newfps->xfd = curfps->xfd & ~xfeatures;
500afbf645a040 Chang S. Bae    2021-10-21  1562  
500afbf645a040 Chang S. Bae    2021-10-21  1563  	/* Do the final updates within the locked region */
500afbf645a040 Chang S. Bae    2021-10-21  1564  	xstate_init_xcomp_bv(&newfps->regs.xsave, newfps->xfeatures);
500afbf645a040 Chang S. Bae    2021-10-21  1565  
c270ce393dfd70 Thomas Gleixner 2022-01-05  1566  	if (guest_fpu) {
c270ce393dfd70 Thomas Gleixner 2022-01-05  1567  		guest_fpu->fpstate = newfps;
c270ce393dfd70 Thomas Gleixner 2022-01-05  1568  		/* If curfps is active, update the FPU fpstate pointer */
c270ce393dfd70 Thomas Gleixner 2022-01-05  1569  		if (in_use)
c270ce393dfd70 Thomas Gleixner 2022-01-05  1570  			fpu->fpstate = newfps;
c270ce393dfd70 Thomas Gleixner 2022-01-05  1571  	} else {
c270ce393dfd70 Thomas Gleixner 2022-01-05  1572  		fpu->fpstate = newfps;
c270ce393dfd70 Thomas Gleixner 2022-01-05  1573  	}
c270ce393dfd70 Thomas Gleixner 2022-01-05  1574  
c270ce393dfd70 Thomas Gleixner 2022-01-05  1575  	if (in_use)
c270ce393dfd70 Thomas Gleixner 2022-01-05  1576  		xfd_update_state(fpu->fpstate);
500afbf645a040 Chang S. Bae    2021-10-21  1577  	fpregs_unlock();
500afbf645a040 Chang S. Bae    2021-10-21  1578  
c270ce393dfd70 Thomas Gleixner 2022-01-05  1579  	/* Only free valloc'ed state */
c270ce393dfd70 Thomas Gleixner 2022-01-05 @1580  	if (curfps && curfps->is_valloc)
                                                            ^^^^^^
Checked too late

500afbf645a040 Chang S. Bae    2021-10-21  1581  		vfree(curfps);
c270ce393dfd70 Thomas Gleixner 2022-01-05  1582  
500afbf645a040 Chang S. Bae    2021-10-21  1583  	return 0;
500afbf645a040 Chang S. Bae    2021-10-21  1584  }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ