Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp1333224iof; Tue, 7 Jun 2022 03:35:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxrfs4wAjkuRTztaW3/AdzIdEec3F+5F45Fu5XZ2+uvQklH5LU0FBc5RfqsSPX76sXQ5KvZ X-Received: by 2002:a17:907:6286:b0:6da:6e24:5e43 with SMTP id nd6-20020a170907628600b006da6e245e43mr25683972ejc.449.1654598128170; Tue, 07 Jun 2022 03:35:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654598128; cv=none; d=google.com; s=arc-20160816; b=nsR9cwoOdonZXoVPDBKC0yn08qjNtvJ4hQ6bTXyPSzBvkD+3Z5RX/AaWLOGjGdvTSw Yz5cAXQGUJWmJ30qEVHFo8a3Wze7YE4mkA/e2CrDsoL2bifovohKUoTpwxhTtemQS7Nn HmjniUuMhwTNbkx+OaJJjTN+hyWWVznJQoD6aFcmrBP4dMq4HD1ASMN//1sx3hJa79M5 tGraG8SS2Q7XM8sXDXb5b0tWeUkAzwh00k7uhpoGTqtyoXdamPV8A/5YM6Xg3336Oi72 RcD3syYUSm/RHvHxDUT4K3xlDKEjPs5PHWRjpTm+6VSOySLqMaVXD1rsozSwdjdQaoZc dcgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=I/dtLniOJpfmA44RQoQ0j7ICMrJegIcUA5TjjuL0j70=; b=idV2lO6NGYWELidY+zTue7eCTQhYFhHkk2unMxidvSeY7Yf3/tEUX8Pv/FAyCqOiW0 c8XoCp+M6aspdyseH4swHLCqwBU1hU3YU6SdZcPyHxFgVFzgxU4NqTl91I6MQTPHmqQM kAihnRy5pN5yWreOcfXsppkBL8ewKZBHwZDW79j4kcZvuhMW/41FFeXsoT2WN+MPkezB wDtIoI7QlpoZDB53yKmT9AgKvRlwK3qMTnqhowxH/wcY0yNNqkrEOGsEQhNpqGxComfX yk1zLZdH4bSsscnKRVYkI2A1h/oraVyryraUmcecWNUIZ/0Fed/BLnPc92teGapG0hlM XUdQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f11-20020a0564021e8b00b0043147003320si10322862edf.527.2022.06.07.03.35.02; Tue, 07 Jun 2022 03:35:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231863AbiFGIf3 (ORCPT + 99 others); Tue, 7 Jun 2022 04:35:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56020 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238240AbiFGIfK (ORCPT ); Tue, 7 Jun 2022 04:35:10 -0400 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E6E6CC6E44 for ; Tue, 7 Jun 2022 01:35:08 -0700 (PDT) Received: from ptz.office.stw.pengutronix.de ([2a0a:edc0:0:900:1d::77] helo=[127.0.0.1]) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1nyUfm-0006dl-1V; Tue, 07 Jun 2022 10:34:46 +0200 Message-ID: <3d42d774-5e12-f983-d6a1-7f644285b509@pengutronix.de> Date: Tue, 7 Jun 2022 10:34:38 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0 Subject: Re: [PATCH] security:trusted_tpm2: Fix memory leak in tpm2_key_encode() Content-Language: en-US To: Jianglei Nie , jejb@linux.ibm.com, jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, jmorris@namei.org, serge@hallyn.com Cc: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org References: <20220607074650.432834-1-niejianglei2021@163.com> From: Ahmad Fatoum In-Reply-To: <20220607074650.432834-1-niejianglei2021@163.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 2a0a:edc0:0:900:1d::77 X-SA-Exim-Mail-From: a.fatoum@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org X-Spam-Status: No, score=-5.4 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Jianglei, On 07.06.22 09:46, Jianglei Nie wrote: > The function allocates a memory chunk for scratch by kmalloc(), but > it is never freed through the function, which leads to a memory leak. > Handle those cases with kfree(). Thanks for your patch. Shouldn't you free scratch before successful return too? I haven't looked too deeply, but it looks like scratch is indeed scratch space and data written to it are memcpy'd elsewhere before the function returns and no pointer derived from it survives after function return. If this is indeed the case, consider also to switch this to a goto out. Cheers, Ahmad > > Signed-off-by: Jianglei Nie > --- > security/keys/trusted-keys/trusted_tpm2.c | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c > index 0165da386289..dc9efd6c8b14 100644 > --- a/security/keys/trusted-keys/trusted_tpm2.c > +++ b/security/keys/trusted-keys/trusted_tpm2.c > @@ -57,8 +57,10 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, > unsigned char bool[3], *w = bool; > /* tag 0 is emptyAuth */ > w = asn1_encode_boolean(w, w + sizeof(bool), true); > - if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) > + if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) { > + kfree(scratch); > return PTR_ERR(w); > + } > work = asn1_encode_tag(work, end_work, 0, bool, w - bool); > } > > @@ -69,8 +71,10 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, > * trigger, so if it does there's something nefarious going on > */ > if (WARN(work - scratch + pub_len + priv_len + 14 > SCRATCH_SIZE, > - "BUG: scratch buffer is too small")) > + "BUG: scratch buffer is too small")) { > + kfree(scratch); > return -EINVAL; > + } > > work = asn1_encode_integer(work, end_work, options->keyhandle); > work = asn1_encode_octet_string(work, end_work, pub, pub_len); > @@ -79,8 +83,10 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, > work1 = payload->blob; > work1 = asn1_encode_sequence(work1, work1 + sizeof(payload->blob), > scratch, work - scratch); > - if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) > + if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) { > + kfree(scratch); > return PTR_ERR(work1); > + } > > return work1 - payload->blob; > } -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |