lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <a8592497-5204-47da-9801-a254b0852fe2@amd.com>
Date: Tue, 11 Mar 2025 14:22:02 +0530
From: Shyam Sundar S K <Shyam-sundar.S-k@....com>
To: Dan Carpenter <dan.carpenter@...aro.org>,
 Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>
Cc: Hans de Goede <hdegoede@...hat.com>,
 Patil Rajesh Reddy <Patil.Reddy@....com>,
 Mario Limonciello <mario.limonciello@....com>,
 platform-driver-x86@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>,
 kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] platform/x86/amd/pmf: fix cleanup in
 amd_pmf_init_smart_pc()

Hi Dan,

On 3/10/2025 20:22, Dan Carpenter wrote:
> On Mon, Mar 10, 2025 at 02:43:51PM +0200, Ilpo Järvinen wrote:
>> On Mon, 10 Mar 2025, Dan Carpenter wrote:
>>
>>> There are a couple problems in this code:
>>>
>>> First, if amd_pmf_tee_init() fails then the function returns directly
>>> instead of cleaning up.  We cannot simply do a "goto error;" because
>>> that would lead to a double free.  I have re-written this code to
>>> use an unwind ladder to free the allocations.
>>
>> Thanks Dan,
>>
>> Could you please amend this with the information of what is getting 
>> double freed, it took considerable amount of time for me to figure out.
>> I assume it's ->fw_shm_pool ?
>>
> 
> Yes, that's it.  Sure, I can re-write that.
> 
>>> Second, if amd_pmf_start_policy_engine() fails on every iteration though
>>> the loop then the code calls amd_pmf_tee_deinit() twice which is also a
>>> double free.  Call amd_pmf_tee_deinit() inside the loop for each failed
>>> iteration.  Also on that path the error codes are not necessarily
>>> negative kernel error codes.  Set the error code to -EINVAL.
>>
>> Maybe I should start to consistently reject any attempt to use 
>> cleanup/deinit helper functions instead of a proper rollback. It 
>> seems a pattern that is very prone to errors like this.
> 
> I do not like deinit functions.  They are so hard to review.  But I
> detected this bug because of a Smatch warning:
> 
> drivers/platform/x86/amd/pmf/tee-if.c:540 amd_pmf_init_smart_pc() warn: missing unwind goto?

Thank you for the fix. We have a CI that runs sparse/smatch/coverity
to catch all these issues and unfortunately this was not caught by the
CI system.

But, I can confirm that Smatch is triggering this.

drivers/platform/x86/amd/pmf/tee-if.c
  CHECK   scripts/mod/empty.c
  CALL    scripts/checksyscalls.sh
  DESCEND objtool
  INSTALL libsubcmd_headers
  CC [M]  drivers/platform/x86/amd/pmf/tee-if.o
  CHECK   drivers/platform/x86/amd/pmf/tee-if.c
drivers/platform/x86/amd/pmf/tee-if.c:540 amd_pmf_init_smart_pc()
warn: missing unwind goto?

Thanks,
Shyam

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ