Re: [PATCH v2] KEYS: trusted: Fix memory leak in tpm2_key_encode()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jarkko Sakkinen <jarkko@kernel.org>
To: Jianglei Nie <niejianglei2021@163.com>
Cc: jejb@linux.ibm.com, zohar@linux.ibm.com, dhowells@redhat.com,
	jmorris@namei.org, serge@hallyn.com,
	linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] KEYS: trusted: Fix memory leak in tpm2_key_encode()
Date: Thu, 9 Jun 2022 08:21:17 +0300	[thread overview]
Message-ID: <YqGDTVa64aknbldb@iki.fi> (raw)
In-Reply-To: <20220608131732.550234-1-niejianglei2021@163.com>

On Wed, Jun 08, 2022 at 09:17:32PM +0800, Jianglei Nie wrote:
> tpm2_key_encode() allocates a memory chunk from scratch with kmalloc(),
> but it is never freed, which leads to a memory leak. Free the memory
> chunk with kfree() in the return path.
> 
> Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
> ---

You should write down the changelog ere. No idea what changed
from the previous version.

>  security/keys/trusted-keys/trusted_tpm2.c | 23 +++++++++++++++++------
>  1 file changed, 17 insertions(+), 6 deletions(-)
> 
> diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c
> index 0165da386289..8b7ab22950d1 100644
> --- a/security/keys/trusted-keys/trusted_tpm2.c
> +++ b/security/keys/trusted-keys/trusted_tpm2.c
> @@ -32,6 +32,7 @@ static int tpm2_key_encode(struct trusted_key_payload *payload,
>  			   struct trusted_key_options *options,
>  			   u8 *src, u32 len)
>  {
> +	int err;

Declare as the last local variable (reverse christmas tree order).

Also, I'd use "int ret" since in other functions that is used.

>  	const int SCRATCH_SIZE = PAGE_SIZE;
>  	u8 *scratch = kmalloc(SCRATCH_SIZE, GFP_KERNEL);
>  	u8 *work = scratch, *work1;
> @@ -57,8 +58,10 @@ static int tpm2_key_encode(struct trusted_key_payload *payload,
>  		unsigned char bool[3], *w = bool;
>  		/* tag 0 is emptyAuth */
>  		w = asn1_encode_boolean(w, w + sizeof(bool), true);
> -		if (WARN(IS_ERR(w), "BUG: Boolean failed to encode"))
> -			return PTR_ERR(w);
> +		if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) {
> +			err = PTR_ERR(w);
> +			goto out;
> +		}
>  		work = asn1_encode_tag(work, end_work, 0, bool, w - bool);
>  	}
>  
> @@ -69,8 +72,10 @@ static int tpm2_key_encode(struct trusted_key_payload *payload,
>  	 * trigger, so if it does there's something nefarious going on
>  	 */
>  	if (WARN(work - scratch + pub_len + priv_len + 14 > SCRATCH_SIZE,
> -		 "BUG: scratch buffer is too small"))
> -		return -EINVAL;
> +		 "BUG: scratch buffer is too small")) {
> +		err = -EINVAL;
> +		goto out;
> +	}
>  
>  	work = asn1_encode_integer(work, end_work, options->keyhandle);
>  	work = asn1_encode_octet_string(work, end_work, pub, pub_len);
> @@ -79,10 +84,16 @@ static int tpm2_key_encode(struct trusted_key_payload *payload,
>  	work1 = payload->blob;
>  	work1 = asn1_encode_sequence(work1, work1 + sizeof(payload->blob),
>  				     scratch, work - scratch);
> -	if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed"))
> -		return PTR_ERR(work1);
> +	if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) {
> +		err = -EINVAL;
> +		goto out;

Why you are changing the return value from PTR_ERR(work1
to -EINVAL?

> +	}
> +	kfree(scratch);
>  
>  	return work1 - payload->blob;
> +
> +out:

Nit:

err:

It's only used for the error path.

> +	return err;
>  }
>  
>  struct tpm2_key_context {
> -- 
> 2.25.1
> 

BR, Jarkko

next prev parent reply	other threads:[~2022-06-09  5:23 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-08 13:17 [PATCH v2] KEYS: trusted: Fix memory leak in tpm2_key_encode() Jianglei Nie
2022-06-08 13:38 ` Jonathan McDowell
2022-06-09  5:28   ` jarkko
2022-07-22  8:21     ` [PATCH v3] " Jianglei Nie
2022-07-28  8:07       ` Jarkko Sakkinen
2022-06-09  5:21 ` Jarkko Sakkinen [this message]
2022-06-09  5:22   ` [PATCH v2] " Jarkko Sakkinen
  -- strict thread matches above, loose matches on Subject: below --
2022-06-08 14:35 Jianglei Nie

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YqGDTVa64aknbldb@iki.fi \
    --to=jarkko@kernel.org \
    --cc=dhowells@redhat.com \
    --cc=jejb@linux.ibm.com \
    --cc=jmorris@namei.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=niejianglei2021@163.com \
    --cc=serge@hallyn.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.