From: Dan Carpenter <dan.carpenter@oracle.com>
To: Daniel Axtens <dja@axtens.net>
Cc: devicetree@vger.kernel.org, kbuild-all@lists.01.org,
lkp@intel.com, robh@kernel.org,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
bauerman@linux.ibm.com
Subject: Re: [PATCH] powerpc: Initialize local variable fdt to NULL in elf64_load()
Date: Fri, 16 Apr 2021 10:40:34 +0300 [thread overview]
Message-ID: <20210416074034.GN6048@kadam> (raw)
In-Reply-To: <87eefag241.fsf@linkitivity.dja.id.au>
On Fri, Apr 16, 2021 at 04:44:30PM +1000, Daniel Axtens wrote:
> Hi Lakshmi,
>
> > On 4/15/21 12:14 PM, Lakshmi Ramasubramanian wrote:
> >
> > Sorry - missed copying device-tree and powerpc mailing lists.
> >
> >> There are a few "goto out;" statements before the local variable "fdt"
> >> is initialized through the call to of_kexec_alloc_and_setup_fdt() in
> >> elf64_load(). This will result in an uninitialized "fdt" being passed
> >> to kvfree() in this function if there is an error before the call to
> >> of_kexec_alloc_and_setup_fdt().
> >>
> >> Initialize the local variable "fdt" to NULL.
> >>
> I'm a huge fan of initialising local variables!
Don't be! It just disables static checker warnings and hides bugs.
The kbuild emails are archived but the email is mangled and unreadable.
https://www.mail-archive.com/kbuild@lists.01.org/msg06371.html
I think maybe you're not on the most recent code. In linux-next this
code looks like:
arch/powerpc/kexec/elf_64.c
27 static void *elf64_load(struct kimage *image, char *kernel_buf,
28 unsigned long kernel_len, char *initrd,
29 unsigned long initrd_len, char *cmdline,
30 unsigned long cmdline_len)
31 {
32 int ret;
33 unsigned long kernel_load_addr;
34 unsigned long initrd_load_addr = 0, fdt_load_addr;
35 void *fdt;
36 const void *slave_code;
37 struct elfhdr ehdr;
38 char *modified_cmdline = NULL;
39 struct kexec_elf_info elf_info;
40 struct kexec_buf kbuf = { .image = image, .buf_min = 0,
41 .buf_max = ppc64_rma_size };
42 struct kexec_buf pbuf = { .image = image, .buf_min = 0,
43 .buf_max = ppc64_rma_size, .top_down = true,
44 .mem = KEXEC_BUF_MEM_UNKNOWN };
45
46 ret = kexec_build_elf_info(kernel_buf, kernel_len, &ehdr, &elf_info);
47 if (ret)
48 goto out;
^^^^^^^^
I really despise "goto out;" because freeing things which haven't been
allocated is always dangerous.
[ snip ].
143 out:
144 kfree(modified_cmdline);
145 kexec_free_elf_info(&elf_info);
^^^^^^^^
There is a possibility that "elf_info" has holds uninitialized stack
data if elf_read_ehdr() fails so that's probably fixing as well. kexec()
is root only so this can't be exploited.
146
147 /*
148 * Once FDT buffer has been successfully passed to kexec_add_buffer(),
149 * the FDT buffer address is saved in image->arch.fdt. In that case,
150 * the memory cannot be freed here in case of any other error.
151 */
152 if (ret && !image->arch.fdt)
153 kvfree(fdt);
^^^
Uninitialized.
154
155 return ret ? ERR_PTR(ret) : NULL;
156 }
regards,
dan carpenter
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Daniel Axtens <dja@axtens.net>
Cc: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
robh@kernel.org, devicetree@vger.kernel.org,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
kbuild-all@lists.01.org, lkp@intel.com, bauerman@linux.ibm.com
Subject: Re: [PATCH] powerpc: Initialize local variable fdt to NULL in elf64_load()
Date: Fri, 16 Apr 2021 10:40:34 +0300 [thread overview]
Message-ID: <20210416074034.GN6048@kadam> (raw)
In-Reply-To: <87eefag241.fsf@linkitivity.dja.id.au>
On Fri, Apr 16, 2021 at 04:44:30PM +1000, Daniel Axtens wrote:
> Hi Lakshmi,
>
> > On 4/15/21 12:14 PM, Lakshmi Ramasubramanian wrote:
> >
> > Sorry - missed copying device-tree and powerpc mailing lists.
> >
> >> There are a few "goto out;" statements before the local variable "fdt"
> >> is initialized through the call to of_kexec_alloc_and_setup_fdt() in
> >> elf64_load(). This will result in an uninitialized "fdt" being passed
> >> to kvfree() in this function if there is an error before the call to
> >> of_kexec_alloc_and_setup_fdt().
> >>
> >> Initialize the local variable "fdt" to NULL.
> >>
> I'm a huge fan of initialising local variables!
Don't be! It just disables static checker warnings and hides bugs.
The kbuild emails are archived but the email is mangled and unreadable.
https://www.mail-archive.com/kbuild@lists.01.org/msg06371.html
I think maybe you're not on the most recent code. In linux-next this
code looks like:
arch/powerpc/kexec/elf_64.c
27 static void *elf64_load(struct kimage *image, char *kernel_buf,
28 unsigned long kernel_len, char *initrd,
29 unsigned long initrd_len, char *cmdline,
30 unsigned long cmdline_len)
31 {
32 int ret;
33 unsigned long kernel_load_addr;
34 unsigned long initrd_load_addr = 0, fdt_load_addr;
35 void *fdt;
36 const void *slave_code;
37 struct elfhdr ehdr;
38 char *modified_cmdline = NULL;
39 struct kexec_elf_info elf_info;
40 struct kexec_buf kbuf = { .image = image, .buf_min = 0,
41 .buf_max = ppc64_rma_size };
42 struct kexec_buf pbuf = { .image = image, .buf_min = 0,
43 .buf_max = ppc64_rma_size, .top_down = true,
44 .mem = KEXEC_BUF_MEM_UNKNOWN };
45
46 ret = kexec_build_elf_info(kernel_buf, kernel_len, &ehdr, &elf_info);
47 if (ret)
48 goto out;
^^^^^^^^
I really despise "goto out;" because freeing things which haven't been
allocated is always dangerous.
[ snip ].
143 out:
144 kfree(modified_cmdline);
145 kexec_free_elf_info(&elf_info);
^^^^^^^^
There is a possibility that "elf_info" has holds uninitialized stack
data if elf_read_ehdr() fails so that's probably fixing as well. kexec()
is root only so this can't be exploited.
146
147 /*
148 * Once FDT buffer has been successfully passed to kexec_add_buffer(),
149 * the FDT buffer address is saved in image->arch.fdt. In that case,
150 * the memory cannot be freed here in case of any other error.
151 */
152 if (ret && !image->arch.fdt)
153 kvfree(fdt);
^^^
Uninitialized.
154
155 return ret ? ERR_PTR(ret) : NULL;
156 }
regards,
dan carpenter
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: kbuild-all@lists.01.org
Subject: Re: [PATCH] powerpc: Initialize local variable fdt to NULL in elf64_load()
Date: Fri, 16 Apr 2021 10:40:34 +0300 [thread overview]
Message-ID: <20210416074034.GN6048@kadam> (raw)
In-Reply-To: <87eefag241.fsf@linkitivity.dja.id.au>
[-- Attachment #1: Type: text/plain, Size: 3217 bytes --]
On Fri, Apr 16, 2021 at 04:44:30PM +1000, Daniel Axtens wrote:
> Hi Lakshmi,
>
> > On 4/15/21 12:14 PM, Lakshmi Ramasubramanian wrote:
> >
> > Sorry - missed copying device-tree and powerpc mailing lists.
> >
> >> There are a few "goto out;" statements before the local variable "fdt"
> >> is initialized through the call to of_kexec_alloc_and_setup_fdt() in
> >> elf64_load(). This will result in an uninitialized "fdt" being passed
> >> to kvfree() in this function if there is an error before the call to
> >> of_kexec_alloc_and_setup_fdt().
> >>
> >> Initialize the local variable "fdt" to NULL.
> >>
> I'm a huge fan of initialising local variables!
Don't be! It just disables static checker warnings and hides bugs.
The kbuild emails are archived but the email is mangled and unreadable.
https://www.mail-archive.com/kbuild(a)lists.01.org/msg06371.html
I think maybe you're not on the most recent code. In linux-next this
code looks like:
arch/powerpc/kexec/elf_64.c
27 static void *elf64_load(struct kimage *image, char *kernel_buf,
28 unsigned long kernel_len, char *initrd,
29 unsigned long initrd_len, char *cmdline,
30 unsigned long cmdline_len)
31 {
32 int ret;
33 unsigned long kernel_load_addr;
34 unsigned long initrd_load_addr = 0, fdt_load_addr;
35 void *fdt;
36 const void *slave_code;
37 struct elfhdr ehdr;
38 char *modified_cmdline = NULL;
39 struct kexec_elf_info elf_info;
40 struct kexec_buf kbuf = { .image = image, .buf_min = 0,
41 .buf_max = ppc64_rma_size };
42 struct kexec_buf pbuf = { .image = image, .buf_min = 0,
43 .buf_max = ppc64_rma_size, .top_down = true,
44 .mem = KEXEC_BUF_MEM_UNKNOWN };
45
46 ret = kexec_build_elf_info(kernel_buf, kernel_len, &ehdr, &elf_info);
47 if (ret)
48 goto out;
^^^^^^^^
I really despise "goto out;" because freeing things which haven't been
allocated is always dangerous.
[ snip ].
143 out:
144 kfree(modified_cmdline);
145 kexec_free_elf_info(&elf_info);
^^^^^^^^
There is a possibility that "elf_info" has holds uninitialized stack
data if elf_read_ehdr() fails so that's probably fixing as well. kexec()
is root only so this can't be exploited.
146
147 /*
148 * Once FDT buffer has been successfully passed to kexec_add_buffer(),
149 * the FDT buffer address is saved in image->arch.fdt. In that case,
150 * the memory cannot be freed here in case of any other error.
151 */
152 if (ret && !image->arch.fdt)
153 kvfree(fdt);
^^^
Uninitialized.
154
155 return ret ? ERR_PTR(ret) : NULL;
156 }
regards,
dan carpenter
next prev parent reply other threads:[~2021-04-16 7:41 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-15 19:14 [PATCH] powerpc: Initialize local variable fdt to NULL in elf64_load() Lakshmi Ramasubramanian
2021-04-15 19:18 ` Lakshmi Ramasubramanian
2021-04-15 19:18 ` Lakshmi Ramasubramanian
2021-04-15 19:18 ` Lakshmi Ramasubramanian
2021-04-16 6:44 ` Daniel Axtens
2021-04-16 6:44 ` Daniel Axtens
2021-04-16 6:44 ` Daniel Axtens
2021-04-16 7:00 ` Christophe Leroy
2021-04-16 7:00 ` Christophe Leroy
2021-04-16 8:09 ` Dan Carpenter
2021-04-16 8:09 ` Dan Carpenter
2021-04-16 8:09 ` Dan Carpenter
2021-04-16 12:19 ` Michael Ellerman
2021-04-16 12:19 ` Michael Ellerman
2021-04-16 7:40 ` Dan Carpenter [this message]
2021-04-16 7:40 ` Dan Carpenter
2021-04-16 7:40 ` Dan Carpenter
2021-04-16 9:05 ` Michael Ellerman
2021-04-16 9:05 ` Michael Ellerman
2021-04-16 14:37 ` Lakshmi Ramasubramanian
2021-04-16 14:37 ` Lakshmi Ramasubramanian
2021-04-19 23:30 ` Michael Ellerman
2021-04-19 23:30 ` Michael Ellerman
2021-04-20 1:33 ` Lakshmi Ramasubramanian
2021-04-20 1:33 ` Lakshmi Ramasubramanian
2021-04-20 5:00 ` Dan Carpenter
2021-04-20 5:00 ` Dan Carpenter
2021-04-20 5:00 ` Dan Carpenter
2021-04-20 5:20 ` Lakshmi Ramasubramanian
2021-04-20 5:20 ` Lakshmi Ramasubramanian
2021-04-20 5:20 ` Lakshmi Ramasubramanian
2021-04-20 13:06 ` Rob Herring
2021-04-20 13:06 ` Rob Herring
2021-04-20 13:06 ` Rob Herring
2021-04-20 14:42 ` Lakshmi Ramasubramanian
2021-04-20 14:42 ` Lakshmi Ramasubramanian
2021-04-20 14:42 ` Lakshmi Ramasubramanian
2021-04-20 15:04 ` Lakshmi Ramasubramanian
2021-04-20 15:04 ` Lakshmi Ramasubramanian
2021-04-20 15:04 ` Lakshmi Ramasubramanian
2021-04-20 15:47 ` Rob Herring
2021-04-20 15:47 ` Rob Herring
2021-04-20 15:47 ` Rob Herring
2021-04-20 15:55 ` Lakshmi Ramasubramanian
2021-04-20 15:55 ` Lakshmi Ramasubramanian
2021-04-20 15:55 ` Lakshmi Ramasubramanian
2021-04-22 2:21 ` Daniel Axtens
2021-04-22 2:21 ` Daniel Axtens
2021-04-22 2:21 ` Daniel Axtens
2021-04-22 8:05 ` David Laight
2021-04-22 8:05 ` David Laight
2021-04-22 9:34 ` Dan Carpenter
2021-04-22 9:34 ` Dan Carpenter
2021-04-22 9:34 ` Dan Carpenter
2021-04-22 16:54 ` Segher Boessenkool
2021-04-22 16:54 ` Segher Boessenkool
2021-04-23 13:50 ` Michael Ellerman
2021-04-23 13:50 ` Michael Ellerman
2021-04-23 14:42 ` David Laight
2021-04-23 14:42 ` David Laight
2021-04-23 15:11 ` Rob Herring
2021-04-23 15:11 ` Rob Herring
2021-04-23 15:11 ` Rob Herring
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210416074034.GN6048@kadam \
--to=dan.carpenter@oracle.com \
--cc=bauerman@linux.ibm.com \
--cc=devicetree@vger.kernel.org \
--cc=dja@axtens.net \
--cc=kbuild-all@lists.01.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=lkp@intel.com \
--cc=nramas@linux.microsoft.com \
--cc=robh@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.