lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 25 Feb 2022 10:00:27 +0100
From:   Hans de Goede <hdegoede@...hat.com>
To:     "Colin King (gmail)" <colin.i.king@...il.com>,
        "David E. Box" <david.e.box@...ux.intel.com>
Cc:     Mark Gross <markgross@...nel.org>,
        Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        platform-driver-x86@...r.kernel.org
Subject: Re: platform/x86: Add Intel Software Defined Silicon driver

Hi,

On 2/24/22 23:25, Colin King (gmail) wrote:
> Hi,
> 
> Static analysis with clang scan has detected a potential issue in the following commit:
> 
> commit 2546c60004309ede8e2d1d5341e0decd90e057bf
> Author: David E. Box <david.e.box@...ux.intel.com>
> Date:   Fri Feb 11 17:32:50 2022 -0800
> 
>     platform/x86: Add Intel Software Defined Silicon driver
> 
> The issue is as follows:
> 
> static int sdsi_mbox_read(struct sdsi_priv *priv, struct sdsi_mbox_info *info, size_t *data_size)
> {
>         int ret;
> 
>         lockdep_assert_held(&priv->mb_lock);
> 
>         ret = sdsi_mbox_acquire(priv, info);
>         if (ret)
>                 return ret;
> 
> Note: the return above does not assign a value to *data_size

And in this return ret != 0, so we have size==not-set, ret!=0

>         return sdsi_mbox_cmd_read(priv, info, data_size);
> }
> 
> 
> static long state_certificate_read(struct file *filp, struct kobject *kobj,
>                                    struct bin_attribute *attr, char *buf, loff_t off,
>                                    size_t count)
> {
>         struct device *dev = kobj_to_dev(kobj);
>         struct sdsi_priv *priv = dev_get_drvdata(dev);
>         u64 command = SDSI_CMD_READ_STATE;
>         struct sdsi_mbox_info info;
>         size_t size;
>                ^
> Note: size is not initialized
> 
>         int ret;
> 
>         if (!priv->sdsi_enabled)
>                 return -EPERM;
> 
>         if (off)
>                 return 0;
> 
>         /* Buffer for return data */
>         info.buffer = kmalloc(SDSI_SIZE_READ_MSG, GFP_KERNEL);
>         if (!info.buffer)
>                 return -ENOMEM;
> 
>         info.payload = &command;
>         info.size = sizeof(command);
> 
>         ret = mutex_lock_interruptible(&priv->mb_lock);
>         if (ret)
>                 goto free_buffer;
>         ret = sdsi_mbox_read(priv, &info, &size);
> 
> Note: a failure in scsi_mbox_read can lead to variable size not being assigned a value.

Right if that is true then the following still holds:

size==not-set, ret!=0

> 
>         mutex_unlock(&priv->mb_lock);
>         if (ret < 0)
>                 goto free_buffer;
> 
> Note: failure with ret < 0 going to free_buffer
> 
>         if (size > count)
>                 size = count;
> 
>         memcpy(buf, info.buffer, size);
> 
> free_buffer:
>         kfree(info.buffer);
> 
>         if (ret)
>                 return ret;

This is still valid here: size==not-set, ret!=0

so we hit the true path of the if and return ret, not size.

Regards,

Hans


> 
>         return size;
> 
> Note: uninitialized value in size being returned. This is an error.
> 
> }
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ