Re: [bug report] evm: Check also if *tfm is an error pointer in init_desc()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Roberto Sassu <roberto.sassu@huawei.com>
Cc: "linux-integrity@vger.kernel.org"
	<linux-integrity@vger.kernel.org>,
	"linux-security-module@vger.kernel.org" 
	<linux-security-module@vger.kernel.org>,
	Silviu Vlasceanu <Silviu.Vlasceanu@huawei.com>
Subject: Re: [bug report] evm: Check also if *tfm is an error pointer in init_desc()
Date: Tue, 12 May 2020 15:34:14 +0300	[thread overview]
Message-ID: <20200512123414.GA2056@kadam> (raw)
In-Reply-To: <267804d00f2e457186509a6ae40c9c7f@huawei.com>

On Tue, May 12, 2020 at 11:31:53AM +0000, Roberto Sassu wrote:
> > From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
> > Sent: Tuesday, May 12, 2020 12:48 PM
> > 
> > Hello Roberto Sassu,
> > 
> > The patch 53de3b080d5e: "evm: Check also if *tfm is an error pointer
> > in init_desc()" from Apr 27, 2020, leads to the following static
> > checker warning:
> > 
> > 	security/integrity/evm/evm_crypto.c:119 init_desc()
> > 	error: '*tfm' dereferencing possible ERR_PTR()
> > 
> > security/integrity/evm/evm_crypto.c
> >     89
> >     90                  tfm = &evm_tfm[hash_algo];
> >     91                  algo = hash_algo_name[hash_algo];
> >     92          }
> >     93
> >     94          if (IS_ERR_OR_NULL(*tfm)) {
> > 
> > This used to be a "if (!*tfm)" check.
> > 
> >     95                  mutex_lock(&mutex);
> >     96                  if (*tfm)
> >     97                          goto out;
> > 
> > Then we test again with the lock held.  But in the new code if "*tfm"
> > is an error pointer then we jump directly to the unlock and crash on the
> > next line.  I can't see how the commit would fix anything.
> 
> Hello Dan
> 
> you are right. The fix should be applied in both places.
> 
> if (!IS_ERR_OR_NULL(*tfm))
> 	goto out;

No.  I was wrong.

> 
> >     98                  *tfm = crypto_alloc_shash(algo, 0, CRYPTO_NOLOAD);
> >     99                  if (IS_ERR(*tfm)) {
> >    100                          rc = PTR_ERR(*tfm);
> >    101                          pr_err("Can not allocate %s (reason: %ld)\n", algo, rc);
> >    102                          *tfm = NULL;
> >    103                          mutex_unlock(&mutex);
> >    104                          return ERR_PTR(rc);
> >    105                  }
> >    106                  if (type == EVM_XATTR_HMAC) {
> >    107                          rc = crypto_shash_setkey(*tfm, evmkey, evmkey_len);
> >    108                          if (rc) {
> >    109                                  crypto_free_shash(*tfm);
> >    110                                  *tfm = NULL;
> >    111                                  mutex_unlock(&mutex);
> >    112                                  return ERR_PTR(rc);
> >    113                          }
> >    114                  }
> >    115  out:
> >    116                  mutex_unlock(&mutex);
> >    117          }
> >    118
> >    119          desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(*tfm),
> >                                                                      ^^^^
> > I don't understand how using *tfm outside of a lock is safe at all
> > anyway.
> 
> I think the purpose of the mutex is just to  prevent two concurrent
> allocations. Later, it should not be a problem, as *tfm is never freed.
> 

Actually by the time we take the lock then *tfm is either valid or NULL
so this code works.  It's confusing though.

regards,
dan carpenter

next prev parent reply	other threads:[~2020-05-12 12:34 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-12 10:48 [bug report] evm: Check also if *tfm is an error pointer in init_desc() Dan Carpenter
2020-05-12 11:31 ` Roberto Sassu
2020-05-12 12:34   ` Dan Carpenter [this message]
2020-05-12 12:45     ` Roberto Sassu
2020-05-12 13:04       ` Dan Carpenter
2020-05-12 13:08         ` Roberto Sassu
2020-05-12 13:19         ` [PATCH] evm: Fix a small race " Dan Carpenter
2020-05-12 13:19           ` Dan Carpenter
2020-05-12 13:43           ` Roberto Sassu
2020-05-12 13:43             ` Roberto Sassu
2020-05-12 17:47             ` [PATCH v2] " Dan Carpenter
2020-05-12 17:47               ` Dan Carpenter
2020-05-14  6:47               ` Roberto Sassu
2020-05-14  6:47                 ` Roberto Sassu
2020-05-14  7:11                 ` Krzysztof Struczynski
2020-05-14  7:11                   ` Krzysztof Struczynski
2020-05-14 18:21                   ` Mimi Zohar
2020-05-14 18:21                     ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200512123414.GA2056@kadam \
    --to=dan.carpenter@oracle.com \
    --cc=Silviu.Vlasceanu@huawei.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=roberto.sassu@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.