lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Feb 2022 22:25:51 +0000 From: "Colin King (gmail)" <colin.i.king@...il.com> To: "David E. Box" <david.e.box@...ux.intel.com> Cc: Mark Gross <markgross@...nel.org>, Hans de Goede <hdegoede@...hat.com>, Andy Shevchenko <andriy.shevchenko@...ux.intel.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, platform-driver-x86@...r.kernel.org Subject: re: platform/x86: Add Intel Software Defined Silicon driver Hi, Static analysis with clang scan has detected a potential issue in the following commit: commit 2546c60004309ede8e2d1d5341e0decd90e057bf Author: David E. Box <david.e.box@...ux.intel.com> Date: Fri Feb 11 17:32:50 2022 -0800 platform/x86: Add Intel Software Defined Silicon driver The issue is as follows: static int sdsi_mbox_read(struct sdsi_priv *priv, struct sdsi_mbox_info *info, size_t *data_size) { int ret; lockdep_assert_held(&priv->mb_lock); ret = sdsi_mbox_acquire(priv, info); if (ret) return ret; Note: the return above does not assign a value to *data_size return sdsi_mbox_cmd_read(priv, info, data_size); } static long state_certificate_read(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { struct device *dev = kobj_to_dev(kobj); struct sdsi_priv *priv = dev_get_drvdata(dev); u64 command = SDSI_CMD_READ_STATE; struct sdsi_mbox_info info; size_t size; ^ Note: size is not initialized int ret; if (!priv->sdsi_enabled) return -EPERM; if (off) return 0; /* Buffer for return data */ info.buffer = kmalloc(SDSI_SIZE_READ_MSG, GFP_KERNEL); if (!info.buffer) return -ENOMEM; info.payload = &command; info.size = sizeof(command); ret = mutex_lock_interruptible(&priv->mb_lock); if (ret) goto free_buffer; ret = sdsi_mbox_read(priv, &info, &size); Note: a failure in scsi_mbox_read can lead to variable size not being assigned a value. mutex_unlock(&priv->mb_lock); if (ret < 0) goto free_buffer; Note: failure with ret < 0 going to free_buffer if (size > count) size = count; memcpy(buf, info.buffer, size); free_buffer: kfree(info.buffer); if (ret) return ret; return size; Note: uninitialized value in size being returned. This is an error. }
Powered by blists - more mailing lists