[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <13f987a0-197a-d0db-6f97-c7358d4723da@gmail.com>
Date: Thu, 24 Feb 2022 22:25:51 +0000
From: "Colin King (gmail)" <colin.i.king@...il.com>
To: "David E. Box" <david.e.box@...ux.intel.com>
Cc: Mark Gross <markgross@...nel.org>,
Hans de Goede <hdegoede@...hat.com>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
platform-driver-x86@...r.kernel.org
Subject: re: platform/x86: Add Intel Software Defined Silicon driver
Hi,
Static analysis with clang scan has detected a potential issue in the
following commit:
commit 2546c60004309ede8e2d1d5341e0decd90e057bf
Author: David E. Box <david.e.box@...ux.intel.com>
Date: Fri Feb 11 17:32:50 2022 -0800
platform/x86: Add Intel Software Defined Silicon driver
The issue is as follows:
static int sdsi_mbox_read(struct sdsi_priv *priv, struct sdsi_mbox_info
*info, size_t *data_size)
{
int ret;
lockdep_assert_held(&priv->mb_lock);
ret = sdsi_mbox_acquire(priv, info);
if (ret)
return ret;
Note: the return above does not assign a value to *data_size
return sdsi_mbox_cmd_read(priv, info, data_size);
}
static long state_certificate_read(struct file *filp, struct kobject *kobj,
struct bin_attribute *attr, char
*buf, loff_t off,
size_t count)
{
struct device *dev = kobj_to_dev(kobj);
struct sdsi_priv *priv = dev_get_drvdata(dev);
u64 command = SDSI_CMD_READ_STATE;
struct sdsi_mbox_info info;
size_t size;
^
Note: size is not initialized
int ret;
if (!priv->sdsi_enabled)
return -EPERM;
if (off)
return 0;
/* Buffer for return data */
info.buffer = kmalloc(SDSI_SIZE_READ_MSG, GFP_KERNEL);
if (!info.buffer)
return -ENOMEM;
info.payload = &command;
info.size = sizeof(command);
ret = mutex_lock_interruptible(&priv->mb_lock);
if (ret)
goto free_buffer;
ret = sdsi_mbox_read(priv, &info, &size);
Note: a failure in scsi_mbox_read can lead to variable size not being
assigned a value.
mutex_unlock(&priv->mb_lock);
if (ret < 0)
goto free_buffer;
Note: failure with ret < 0 going to free_buffer
if (size > count)
size = count;
memcpy(buf, info.buffer, size);
free_buffer:
kfree(info.buffer);
if (ret)
return ret;
return size;
Note: uninitialized value in size being returned. This is an error.
}
Powered by blists - more mailing lists