From: sashiko-bot@kernel.org
To: alistair23@gmail.com
Cc: ojeda@kernel.org, linux-pci@vger.kernel.org
Subject: Re: [PATCH 16/18] lib: rspdm: Support SPDM certificate validation
Date: Fri, 08 May 2026 04:25:22 +0000 [thread overview]
Message-ID: <20260508042523.10940C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260508031710.514574-17-alistair.francis@wdc.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] validate_cert_chain overwrites `leaf_key` when validating multiple provisioned slots, corrupting state and breaking authentication.
- [High] validate_cert_chain leaks dynamically allocated `x509_certificate` structures on all error paths.
- [High] validate_cert_chain leaks the leaf `x509_certificate` structure upon successful validation.
--
commit 3ec614986c351b34141bcbc9f49c6cce87d68be8
Author: Alistair Francis <alistair@alistair23.me>
lib: rspdm: Support SPDM certificate validation
This commit adds support for validating the SPDM certificate chain. It performs
basic sanity checks to ensure the chain is correct, uses supported signatures,
and is not blacklisted in the kernel.
> diff --git a/lib/rspdm/state.rs b/lib/rspdm/state.rs
> index 69b6f67a6ef52..4c8ee553bb699 100644
> --- a/lib/rspdm/state.rs
> +++ b/lib/rspdm/state.rs
[ ... ]
> @@ -786,4 +789,68 @@ pub(crate) fn get_certificate(&mut self, slot: u8) -> Result<(), Error> {
>
> Ok(())
> }
> +
> + pub(crate) fn validate_cert_chain(&mut self, slot: u8) -> Result<(), Error> {
[ ... ]
> + let cert_ptr = unsafe {
> + from_err_ptr(bindings::x509_cert_parse(
> + &cert_chain_buf[offset..] as *const _ as *const c_void,
> + cert_len as usize,
> + ))?
> + };
> + let cert = unsafe { *cert_ptr };
> +
> + if cert.unsupported_sig || cert.blacklisted {
> + pr_err!("Certificate was rejected\n");
> + to_result(-(bindings::EKEYREJECTED as i32))?;
> + }
Is it possible this code leaks the x509_certificate structure on error paths?
If any validation step fails (such as cert.unsupported_sig or an error in
public_key_verify_signature), returning early with the ? operator will bypass
the x509_free_certificate cleanup for both the currently parsing certificate
(cert_ptr) and the previously parsed certificate (prev_cert).
Since they are stored as raw pointers, the drop semantics do not free them.
> +
> + if let Some(prev) = prev_cert {
> + // Check against previous certificate
> + let rc = unsafe { bindings::public_key_verify_signature((*prev).pub_, cert.sig) };
> +
> + if rc < 0 {
> + pr_err!("Signature validation error\n");
> + to_result(rc)?;
> + }
> + }
[ ... ]
> + if let Some(prev) = prev_cert {
> + if let Some(validate) = self.validate {
> + let rc = unsafe { validate(self.dev, slot, prev) };
> + to_result(rc)?;
> + }
> +
> + self.leaf_key = unsafe { Some((*prev).pub_) };
Does this overwrite self.leaf_key when validating multiple provisioned slots?
The caller in lib.rs iterates over all provisioned slots, calling
validate_cert_chain() for each:
let mut provisioned_slots = state.provisioned_slots;
while (provisioned_slots as usize) > 0 {
let slot = provisioned_slots.trailing_zeros() as u8;
if let Err(e) = state.validate_cert_chain(slot) {
return e.to_errno() as c_int;
}
provisioned_slots &= !(1 << slot);
}
Since self.leaf_key is a single Option, this will overwrite the previous public
key pointer without freeing it.
If a device has multiple provisioned slots, could signature verification later
in challenge() fail because self.leaf_key holds the public key of the last
provisioned slot rather than the first?
Also, does this leak the leaf x509_certificate structure on successful
validation?
At the successful completion of the certificate chain loop, the final
certificate remains in prev_cert. The public key is extracted into
self.leaf_key, but bindings::x509_free_certificate(prev) is never called.
While spdm_destroy() later frees the public key via public_key_free(), the
x509_certificate structure itself and its internal fields appear to be leaked
permanently.
> + }
> +
> + Ok(())
> + }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260508031710.514574-1-alistair.francis@wdc.com?part=16
next prev parent reply other threads:[~2026-05-08 4:25 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 3:16 [PATCH 00/18] lib: Rust implementation of SPDM alistair23
2026-05-08 3:16 ` [PATCH 01/18] rust: add untrusted data abstraction alistair23
2026-05-08 3:52 ` sashiko-bot
2026-05-08 5:17 ` Dirk Behme
2026-05-08 3:16 ` [PATCH 02/18] X.509: Make certificate parser public alistair23
2026-05-08 3:45 ` sashiko-bot
2026-05-08 3:16 ` [PATCH 03/18] X.509: Parse Subject Alternative Name in certificates alistair23
2026-05-08 3:16 ` [PATCH 04/18] X.509: Move certificate length retrieval into new helper alistair23
2026-05-08 3:39 ` sashiko-bot
2026-05-08 3:16 ` [PATCH 05/18] rust: add bindings for hash.h alistair23
2026-05-08 3:43 ` sashiko-bot
2026-05-08 3:16 ` [PATCH 06/18] rust: error: impl From<FromBytesWithNulError> for Kernel Error alistair23
2026-05-08 3:51 ` sashiko-bot
2026-05-08 3:16 ` [PATCH 07/18] lib: rspdm: Initial commit of Rust SPDM alistair23
2026-05-08 3:41 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 08/18] PCI/TSM: Support connecting to PCIe CMA devices alistair23
2026-05-08 3:17 ` [PATCH 09/18] PCI/CMA: Add a PCI TSM CMA driver using SPDM alistair23
2026-05-08 5:02 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 10/18] PCI/CMA: Validate Subject Alternative Name in certificates alistair23
2026-05-08 3:58 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 11/18] lib: rspdm: Support SPDM get_version alistair23
2026-05-08 3:50 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 12/18] lib: rspdm: Support SPDM get_capabilities alistair23
2026-05-08 4:05 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 13/18] lib: rspdm: Support SPDM negotiate_algorithms alistair23
2026-05-08 4:05 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 14/18] lib: rspdm: Support SPDM get_digests alistair23
2026-05-08 4:06 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 15/18] lib: rspdm: Support SPDM get_certificate alistair23
2026-05-08 4:23 ` sashiko-bot
2026-05-08 3:17 ` [PATCH 16/18] lib: rspdm: Support SPDM certificate validation alistair23
2026-05-08 4:25 ` sashiko-bot [this message]
2026-05-08 3:17 ` [PATCH 17/18] rust: allow extracting the buffer from a CString alistair23
2026-05-08 3:17 ` [PATCH 18/18] lib: rspdm: Support SPDM challenge alistair23
2026-05-08 4:19 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260508042523.10940C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=alistair23@gmail.com \
--cc=linux-pci@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox