Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp1573781pxb; Tue, 8 Feb 2022 22:46:19 -0800 (PST) X-Google-Smtp-Source: ABdhPJzZXQ3pWb5kmGIJzc/+NLzNyeXbVfmkH9wOjHjCZsTR543M7TvbcN7nCLpZC3HGrDLNvEEA X-Received: by 2002:a17:907:9802:: with SMTP id ji2mr685167ejc.154.1644389179277; Tue, 08 Feb 2022 22:46:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644389179; cv=none; d=google.com; s=arc-20160816; b=M+TsQ3bKxrK0HewEY2NExPbUIn0J42hr07tQQRO/tCWmRwODAbQpzKFs3jWDvzjREh OOIOVAlnGPxXqDE++SHg3itE84nyynBBgFa8pmHqhkdZSlCTOu4mu7GoRvsL7F5TDWyw giktx6ihIgPcU3/SgtQzBPydI6hGxRmrHdUL8bJASdUD4bfNNglPsrSS6uswGuAUliHs ZNMGSrM0PZASL4kOUqqHpzjuEvfVlIopZhxbuUiwbBqvETwrcXXfQCq+9D7bZWaBRBUE a093W/YsEynxTGm7ViKWoq8AvSE2YMKxw1L1M/tPB1Epn68V7BpzZX9BOQxs3k58kZCb oNSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=H6g3rh9m551NvweJuZRHDruHAY9CU9wzTLsOZg37tOo=; b=mg0C7F4Brs3ujfzGLfi3pIWa87QUbufQzXtnxrmyMJgtkGzxXXY5isrmC+NHBJTanz em6wI3JA/MXMfKk0FTBdJ56FAOwOpVjHFMeOciqYnsVPzqk8DM9nuKSscmGGhscW5Tmq X2Rcx2EtNgEhyFODjlZrANnYRIy2UGMNKNayqVTedSLTSd+WcwBMBcFlsrd8lA5tduSQ h7GgA5dximaTJRvxkOJegsI2nJQz8QxYrGhqkq/XA6/XiWh27xyc7gqAMucGAtABlf9L sO/7DxMqxXrWQLdmEtKvgKBGradBJe61GCp3AXpaDbAVi1tGY7uGn5PJoetVTr4yYK3T NSHQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id he14si793103ejc.89.2022.02.08.22.45.54; Tue, 08 Feb 2022 22:46:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244059AbiBICnl (ORCPT + 99 others); Tue, 8 Feb 2022 21:43:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57596 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239658AbiBIBmP (ORCPT ); Tue, 8 Feb 2022 20:42:15 -0500 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C1ACFC06157B; Tue, 8 Feb 2022 17:42:11 -0800 (PST) Received: from dggpemm500024.china.huawei.com (unknown [172.30.72.57]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4JtjJ51574z9sWd; Wed, 9 Feb 2022 09:40:37 +0800 (CST) Received: from [10.67.110.173] (10.67.110.173) by dggpemm500024.china.huawei.com (7.185.36.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Wed, 9 Feb 2022 09:42:08 +0800 Message-ID: <248bf5e4-f171-0f18-90ec-f4be886cb35e@huawei.com> Date: Wed, 9 Feb 2022 09:42:08 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.4.0 Subject: Re: Problem with commit ccf11dbaa07b ("evm: Fix memleak in init_desc") Content-Language: en-US To: Mimi Zohar CC: Roberto Sassu , "linux-integrity@vger.kernel.org" , "linux-kernel@vger.kernel.org" , , wangweiyang , "xiujianfeng@huawei.com" References: From: "Guozihua (Scott)" In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.67.110.173] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggpemm500024.china.huawei.com (7.185.36.203) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022/2/8 23:20, Mimi Zohar wrote: > On Tue, 2022-02-08 at 16:53 +0800, Guozihua (Scott) wrote: >> Hi Mimi, >> >> I found an issue with commit ccf11dbaa07b ("evm: Fix memleak in init_desc"). >> >> This commit tries to free variable "tmp_tfm" if something went wrong >> after the "alloc" label in function init_desc, which would potentially >> cause a user-after-free issue >> >> The codes are as follows: >> >> 1 static struct shash_desc *init_desc(char type, uint8_t hash_algo) >> 2 { >> 3 long rc; >> 4 const char *algo; >> 5 struct crypto_shash **tfm, *tmp_tfm = NULL; >> 6 struct shash_desc *desc; >> 7 >> 8 if (type == EVM_XATTR_HMAC) { >> 9 if (!(evm_initialized & EVM_INIT_HMAC)) { >> 10 pr_err_once("HMAC key is not set\n"); >> 11 return ERR_PTR(-ENOKEY); >> 12 } >> 13 tfm = &hmac_tfm; >> 14 algo = evm_hmac; >> 15 } else { >> 16 if (hash_algo >= HASH_ALGO__LAST) >> 17 return ERR_PTR(-EINVAL); >> 18 >> 19 tfm = &evm_tfm[hash_algo]; >> 20 algo = hash_algo_name[hash_algo]; >> 21 } >> 22 >> 23 if (*tfm) >> 24 goto alloc; >> 25 mutex_lock(&mutex); >> 26 if (*tfm) >> 27 goto unlock; >> 28 >> 29 tmp_tfm = crypto_alloc_shash(algo, 0, CRYPTO_NOLOAD); >> 30 if (IS_ERR(tmp_tfm)) { >> 31 pr_err("Can not allocate %s (reason: %ld)\n", algo, >> 32 PTR_ERR(tmp_tfm)); >> 33 mutex_unlock(&mutex); >> 34 return ERR_CAST(tmp_tfm); >> 35 } >> 36 if (type == EVM_XATTR_HMAC) { >> 37 rc = crypto_shash_setkey(tmp_tfm, evmkey, evmkey_len); >> 38 if (rc) { >> 39 crypto_free_shash(tmp_tfm); >> 40 â‹…mutex_unlock(&mutex); >> 41 return ERR_PTR(rc); >> 42 } >> 43 } >> 44 *tfm = tmp_tfm; >> 45 unlock: >> 46 mutex_unlock(&mutex); >> 47 alloc: >> 48 desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(*tfm), >> 49 GFP_KERNEL); >> 50 if (!desc) { >> 51 crypto_free_shash(tmp_tfm); >> 52 return ERR_PTR(-ENOMEM); >> 53 } >> 54 >> 55 desc->tfm = *tfm; >> 56 >> 57 rc = crypto_shash_init(desc); >> 58 if (rc) { >> 59 crypto_free_shash(tmp_tfm); >> 60 kfree(desc); >> 61 return ERR_PTR(rc); >> 62 } >> 63 return desc; >> 64 } >> >> As we can see, variable *tfm points to one of the two global variable >> hmac_tfm or evm_tfm[hash_algo]. tmp_tfm is used as an intermediate >> variable for initializing these global variables. Freeing tmp_tfm after >> line 44 would invalidate these global variables and potentially cause a >> user-after-free issue. >> >> I think this commit should be reverted. >> >> Reference: commit 843385694721 ("evm: Fix a small race in init_desc()") > > Why this one, as opposed to commit ccf11dbaa07b ("evm: Fix memleak in > init_desc")? > Hi Mimi, I mean commit ccf11dbaa07b ("evm: Fix memleak in init_desc") should be reverted. commit 843385694721 ("evm: Fix a small race in init_desc()") is just for reference. -- Best GUO Zihua