lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 24 Feb 2022 22:25:51 +0000
From:   "Colin King (gmail)" <colin.i.king@...il.com>
To:     "David E. Box" <david.e.box@...ux.intel.com>
Cc:     Mark Gross <markgross@...nel.org>,
        Hans de Goede <hdegoede@...hat.com>,
        Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        platform-driver-x86@...r.kernel.org
Subject: re: platform/x86: Add Intel Software Defined Silicon driver

Hi,

Static analysis with clang scan has detected a potential issue in the 
following commit:

commit 2546c60004309ede8e2d1d5341e0decd90e057bf
Author: David E. Box <david.e.box@...ux.intel.com>
Date:   Fri Feb 11 17:32:50 2022 -0800

     platform/x86: Add Intel Software Defined Silicon driver

The issue is as follows:

static int sdsi_mbox_read(struct sdsi_priv *priv, struct sdsi_mbox_info 
*info, size_t *data_size)
{
         int ret;

         lockdep_assert_held(&priv->mb_lock);

         ret = sdsi_mbox_acquire(priv, info);
         if (ret)
                 return ret;

Note: the return above does not assign a value to *data_size


         return sdsi_mbox_cmd_read(priv, info, data_size);
}


static long state_certificate_read(struct file *filp, struct kobject *kobj,
                                    struct bin_attribute *attr, char 
*buf, loff_t off,
                                    size_t count)
{
         struct device *dev = kobj_to_dev(kobj);
         struct sdsi_priv *priv = dev_get_drvdata(dev);
         u64 command = SDSI_CMD_READ_STATE;
         struct sdsi_mbox_info info;
         size_t size;
                ^
Note: size is not initialized

         int ret;

         if (!priv->sdsi_enabled)
                 return -EPERM;

         if (off)
                 return 0;

         /* Buffer for return data */
         info.buffer = kmalloc(SDSI_SIZE_READ_MSG, GFP_KERNEL);
         if (!info.buffer)
                 return -ENOMEM;

         info.payload = &command;
         info.size = sizeof(command);

         ret = mutex_lock_interruptible(&priv->mb_lock);
         if (ret)
                 goto free_buffer;
         ret = sdsi_mbox_read(priv, &info, &size);

Note: a failure in scsi_mbox_read can lead to variable size not being 
assigned a value.

         mutex_unlock(&priv->mb_lock);
         if (ret < 0)
                 goto free_buffer;

Note: failure with ret < 0 going to free_buffer

         if (size > count)
                 size = count;

         memcpy(buf, info.buffer, size);

free_buffer:
         kfree(info.buffer);

         if (ret)
                 return ret;

         return size;

Note: uninitialized value in size being returned. This is an error.

}

Powered by blists - more mailing lists