Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp4892272pxb; Tue, 25 Jan 2022 23:20:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJyDRJPvKMNNEyCO6PsUGLe/4hZXj086sQ1JDXs9/RxY9FL08tqPTMgzx+7POceGKJuhu3Yj X-Received: by 2002:a05:6a00:ad1:b0:4bb:b74b:a494 with SMTP id c17-20020a056a000ad100b004bbb74ba494mr21523278pfl.28.1643181631577; Tue, 25 Jan 2022 23:20:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643181631; cv=none; d=google.com; s=arc-20160816; b=Gk3uAXgKXqBtgIpUHKJ9iGD0JKYygoQMnytPi7rqHp5QwnLnnsgAYcAVs2XrlVlbFf Xby5Tx1lV93W/YpZaVPAYgaXxIDcKdgTWHeDuxz+SqVG+Gw4cIk3Vf71IQJUiKVzES8Z DPw6H7J+LJJM3OGx/W7VqB6ESRxPErkbTMMRBJ9fDhO13qLWhnx02sBzD6xvg2kOQHRZ hsHzJTryFd16ZOfIGfrNMZkLLYXXw4IqTGYT0eRtX2teWaTDbg4SFXn5h8rqEH78XUjL kQtNH2HxKt4wGH7YyNjg8940axPmBKRvLKhlBqQFhq8zVydjNK2AnsF0Vmg6ftQ+rREb o0DQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:organization:references:in-reply-to:date:cc:to:from :subject:message-id:dkim-signature; bh=L6O4DkR4pkiSXBoigUMOsmjUeRpgHJTXKdhZ+nj+Qmo=; b=n29/cDdkcZ7mIEAWt2dF1ka0LSImWqKbMXws1e3nZskheLMoXLCmHQRfk0BPkN/oC8 g3QIgS4+uCIZgo3dU4u9RUTzdynUSQRuM2XHavKUawqljf7p0JS/IuVo2WHaH40DuftU TuIzuUzvGpv+USETNvTihbFCDhA5jWO6inc7hXppPP7n2Wa+4CnlO+z6bi8qwCbuumI+ BT1yTtX6h8/QajdE25VbuiF8e+d19mWKucCIHTJVwsH1DAWHobdGBOEg+Ej3ctTzdyso 5vmOpR9zHbW5DcuZs1sSROSXf0EwhZC/guMXsTGpYmFHtg38Rz6jOMzwT8w2Ty3Ie0H3 M0jQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=UgGPjdl5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g27si14364698pgb.677.2022.01.25.23.20.09; Tue, 25 Jan 2022 23:20:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=UgGPjdl5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229621AbiAYTL6 (ORCPT + 99 others); Tue, 25 Jan 2022 14:11:58 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:56543 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229606AbiAYTL5 (ORCPT ); Tue, 25 Jan 2022 14:11:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1643137915; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=L6O4DkR4pkiSXBoigUMOsmjUeRpgHJTXKdhZ+nj+Qmo=; b=UgGPjdl5i9cbLUq/NMmeIF+YodUpZDJgSC9pQbZqnMGSr0wLjexYsoqfGctViu7zA2fXop az7+TyXDh3O1vj4CQeir0rUN7pZBNHbWAVtaMG2wffTz3QYrHc1ASsJ+zsG1KlISoqhyYj 6JHM2Ak+OSRowOFfO8Z7AGEsJh8o7ww= Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com [209.85.222.197]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-110-ew84aWQQO36QZctACimoRA-1; Tue, 25 Jan 2022 14:11:54 -0500 X-MC-Unique: ew84aWQQO36QZctACimoRA-1 Received: by mail-qk1-f197.google.com with SMTP id h10-20020a05620a284a00b0047649c94bc7so15488603qkp.20 for ; Tue, 25 Jan 2022 11:11:54 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:organization:user-agent:mime-version :content-transfer-encoding; bh=L6O4DkR4pkiSXBoigUMOsmjUeRpgHJTXKdhZ+nj+Qmo=; b=zqGWbjbAbwgzYuEHFsRp7bquEQk27BMi0jySftpF9inkJGCc5xBPWZWBlHP9HX+wOO 3gS1S/xT4d9ARm3bQ338b20Wxnv6d/I56gllzqe/7ipHvBIXz+nwyEGUsR+BPabH4sRc +ryRxDoHXwiNNCzx448JHFXZTntnK5faDd5DTnbpGLA/tyyyZAd6ohAUDngNfBLLUNON 3HBqxuarhpBAgG0r2juvKUFIwYKXPeX2XxQtD4ZDzA0GVWAFuEIlZ4Ca0tfOQcLi8eF2 4F5IXCT7rTquwd+WIrBhf4z3gefIjR2oT+yfZl5CSgjq4RDfA4LxDUOPorPoMPgX+I68 gVTQ== X-Gm-Message-State: AOAM53143w5RmIdXv17cys/WxpAkQUu0a46gUV+DS+GvTieY3C244NtU wI2KNFhu35YlRvGySibjMmbab4ki0V0+ou3tl5N34RmMJv/8SKjs0QCFTP4Ex1NssVrxk1eYi5A 7OJW2te2KeF1THEKdjMYnj01n X-Received: by 2002:a05:6214:629:: with SMTP id a9mr20865484qvx.110.1643137913961; Tue, 25 Jan 2022 11:11:53 -0800 (PST) X-Received: by 2002:a05:6214:629:: with SMTP id a9mr20865470qvx.110.1643137913719; Tue, 25 Jan 2022 11:11:53 -0800 (PST) Received: from [192.168.8.138] (pool-98-118-105-43.bstnma.ftas.verizon.net. [98.118.105.43]) by smtp.gmail.com with ESMTPSA id d6sm775112qtb.55.2022.01.25.11.11.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Jan 2022 11:11:53 -0800 (PST) Message-ID: <7f6be58affaeac27bd3799134abe16ceba38c9a8.camel@redhat.com> Subject: Re: [PATCH] drm/nouveau/acr: Fix undefined behavior in nvkm_acr_hsfw_load_bl() From: Lyude Paul To: Zhou Qingyang Cc: kjlu@umn.edu, Ben Skeggs , Karol Herbst , David Airlie , Daniel Vetter , dri-devel@lists.freedesktop.org, nouveau@lists.freedesktop.org, linux-kernel@vger.kernel.org Date: Tue, 25 Jan 2022 14:11:51 -0500 In-Reply-To: <20220124165856.57022-1-zhou1615@umn.edu> References: <20220124165856.57022-1-zhou1615@umn.edu> Organization: Red Hat Inc. Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.2 (3.42.2-1.fc35) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Reviewed-by: Lyude Paul On Tue, 2022-01-25 at 00:58 +0800, Zhou Qingyang wrote: > In nvkm_acr_hsfw_load_bl(), the return value of kmalloc() is directly > passed to memcpy(), which could lead to undefined behavior on failure > of kmalloc(). > > Fix this bug by using kmemdup() instead of kmalloc()+memcpy(). > > This bug was found by a static analyzer. > > Builds with 'make allyesconfig' show no new warnings, > and our static analyzer no longer warns about this code. > > Fixes: 22dcda45a3d1 ("drm/nouveau/acr: implement new subdev to replace > "secure boot"") > Signed-off-by: Zhou Qingyang > --- > The analysis employs differential checking to identify inconsistent > security operations (e.g., checks or kfrees) between two code paths > and confirms that the inconsistent operations are not recovered in the > current function or the callers, so they constitute bugs. > > Note that, as a bug found by static analysis, it can be a false > positive or hard to trigger. Multiple researchers have cross-reviewed > the bug. > >  drivers/gpu/drm/nouveau/nvkm/subdev/acr/hsfw.c | 9 +++++---- >  1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/acr/hsfw.c > b/drivers/gpu/drm/nouveau/nvkm/subdev/acr/hsfw.c > index 667fa016496e..a6ea89a5d51a 100644 > --- a/drivers/gpu/drm/nouveau/nvkm/subdev/acr/hsfw.c > +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/acr/hsfw.c > @@ -142,11 +142,12 @@ nvkm_acr_hsfw_load_bl(struct nvkm_acr *acr, const char > *name, int ver, >   >         hsfw->imem_size = desc->code_size; >         hsfw->imem_tag = desc->start_tag; > -       hsfw->imem = kmalloc(desc->code_size, GFP_KERNEL); > -       memcpy(hsfw->imem, data + desc->code_off, desc->code_size); > - > +       hsfw->imem = kmemdup(data + desc->code_off, desc->code_size, > GFP_KERNEL); >         nvkm_firmware_put(fw); > -       return 0; > +       if (!hsfw->imem) > +               return -ENOMEM; > +       else > +               return 0; >  } >   >  int -- Cheers, Lyude Paul (she/her) Software Engineer at Red Hat