RE: [bug report] evm: Check also if *tfm is an error pointer in init_desc()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Roberto Sassu <roberto.sassu@huawei.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: "linux-integrity@vger.kernel.org"
	<linux-integrity@vger.kernel.org>,
	"linux-security-module@vger.kernel.org" 
	<linux-security-module@vger.kernel.org>,
	Silviu Vlasceanu <Silviu.Vlasceanu@huawei.com>
Subject: RE: [bug report] evm: Check also if *tfm is an error pointer in init_desc()
Date: Tue, 12 May 2020 13:08:43 +0000	[thread overview]
Message-ID: <b3d22440ccbb44bfa3c48bfc28ea566d@huawei.com> (raw)
In-Reply-To: <20200512130410.GB2056@kadam>

> From: owner-linux-security-module@vger.kernel.org [mailto:owner-linux-
> security-module@vger.kernel.org] On Behalf Of Dan Carpenter
> Sent: Tuesday, May 12, 2020 3:04 PM
> On Tue, May 12, 2020 at 12:45:06PM +0000, Roberto Sassu wrote:
> > > From: owner-linux-security-module@vger.kernel.org [mailto:owner-
> linux-
> > > security-module@vger.kernel.org] On Behalf Of Dan Carpenter
> > > Sent: Tuesday, May 12, 2020 2:34 PM
> > > On Tue, May 12, 2020 at 11:31:53AM +0000, Roberto Sassu wrote:
> > > > > From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
> > > > > Sent: Tuesday, May 12, 2020 12:48 PM
> > > > >
> > > > > Hello Roberto Sassu,
> > > > >
> > > > > The patch 53de3b080d5e: "evm: Check also if *tfm is an error pointer
> > > > > in init_desc()" from Apr 27, 2020, leads to the following static
> > > > > checker warning:
> > > > >
> > > > > 	security/integrity/evm/evm_crypto.c:119 init_desc()
> > > > > 	error: '*tfm' dereferencing possible ERR_PTR()
> > > > >
> > > > > security/integrity/evm/evm_crypto.c
> > > > >     89
> > > > >     90                  tfm = &evm_tfm[hash_algo];
> > > > >     91                  algo = hash_algo_name[hash_algo];
> > > > >     92          }
> > > > >     93
> > > > >     94          if (IS_ERR_OR_NULL(*tfm)) {
> > > > >
> > > > > This used to be a "if (!*tfm)" check.
> > > > >
> > > > >     95                  mutex_lock(&mutex);
> > > > >     96                  if (*tfm)
> > > > >     97                          goto out;
> > > > >
> > > > > Then we test again with the lock held.  But in the new code if "*tfm"
> > > > > is an error pointer then we jump directly to the unlock and crash on
> the
> > > > > next line.  I can't see how the commit would fix anything.
> > > >
> > > > Hello Dan
> > > >
> > > > you are right. The fix should be applied in both places.
> > > >
> > > > if (!IS_ERR_OR_NULL(*tfm))
> > > > 	goto out;
> > >
> > > No.  I was wrong.
> > >
> > > >
> > > > >     98                  *tfm = crypto_alloc_shash(algo, 0, CRYPTO_NOLOAD);
> > > > >     99                  if (IS_ERR(*tfm)) {
> > > > >    100                          rc = PTR_ERR(*tfm);
> > > > >    101                          pr_err("Can not allocate %s (reason: %ld)\n", algo,
> rc);
> > > > >    102                          *tfm = NULL;
> > > > >    103                          mutex_unlock(&mutex);
> > > > >    104                          return ERR_PTR(rc);
> > > > >    105                  }
> > > > >    106                  if (type == EVM_XATTR_HMAC) {
> > > > >    107                          rc = crypto_shash_setkey(*tfm, evmkey,
> > > evmkey_len);
> > > > >    108                          if (rc) {
> > > > >    109                                  crypto_free_shash(*tfm);
> > > > >    110                                  *tfm = NULL;
> > > > >    111                                  mutex_unlock(&mutex);
> > > > >    112                                  return ERR_PTR(rc);
> > > > >    113                          }
> > > > >    114                  }
> > > > >    115  out:
> > > > >    116                  mutex_unlock(&mutex);
> > > > >    117          }
> > > > >    118
> > > > >    119          desc = kmalloc(sizeof(*desc) +
> crypto_shash_descsize(*tfm),
> > > > >                                                                      ^^^^
> > > > > I don't understand how using *tfm outside of a lock is safe at all
> > > > > anyway.
> > > >
> > > > I think the purpose of the mutex is just to  prevent two concurrent
> > > > allocations. Later, it should not be a problem, as *tfm is never freed.
> > > >
> > >
> > > Actually by the time we take the lock then *tfm is either valid or NULL
> > > so this code works.  It's confusing though.
> >
> > static inline bool __must_check IS_ERR_OR_NULL(__force const void *ptr)
> > {
> >         return unlikely(!ptr) || IS_ERR_VALUE((unsigned long)ptr);
> > }
> >
> > CPU#1			CPU#2
> > 			*tfm = crypto_alloc_shash(algo, 0,
> CRYPTO_NOLOAD);
> > unlikely(!ptr)
> > 			*tfm = NULL;
> > IS_ERR_VALUE((unsigned long)ptr);
> >
> > desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(*tfm),
> >
> > Could this happen?
> 
> Yeah.  Huh.  That's true.  Good eyes.
> 
> I feel like this would be more clear as well if we used a temporary
> variable instead of working directly on "*tfm".

Yes, seems better. I will send a new version of the patch.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

next prev parent reply	other threads:[~2020-05-12 13:08 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-12 10:48 [bug report] evm: Check also if *tfm is an error pointer in init_desc() Dan Carpenter
2020-05-12 11:31 ` Roberto Sassu
2020-05-12 12:34   ` Dan Carpenter
2020-05-12 12:45     ` Roberto Sassu
2020-05-12 13:04       ` Dan Carpenter
2020-05-12 13:08         ` Roberto Sassu [this message]
2020-05-12 13:19         ` [PATCH] evm: Fix a small race " Dan Carpenter
2020-05-12 13:19           ` Dan Carpenter
2020-05-12 13:43           ` Roberto Sassu
2020-05-12 13:43             ` Roberto Sassu
2020-05-12 17:47             ` [PATCH v2] " Dan Carpenter
2020-05-12 17:47               ` Dan Carpenter
2020-05-14  6:47               ` Roberto Sassu
2020-05-14  6:47                 ` Roberto Sassu
2020-05-14  7:11                 ` Krzysztof Struczynski
2020-05-14  7:11                   ` Krzysztof Struczynski
2020-05-14 18:21                   ` Mimi Zohar
2020-05-14 18:21                     ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b3d22440ccbb44bfa3c48bfc28ea566d@huawei.com \
    --to=roberto.sassu@huawei.com \
    --cc=Silviu.Vlasceanu@huawei.com \
    --cc=dan.carpenter@oracle.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.