Message ID | 20211212135403.59724-1-niejianglei2021@163.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | security:trusted_tpm2: Fix memory leak in tpm2_key_encode() | expand |
On Sun, Dec 12, 2021 at 09:54:03PM +0800, Jianglei Nie wrote: > Line 36 (#1) allocates a memory chunk for scratch by kmalloc(), but > it is never freed through the function, which will lead to a memory > leak. > > We should kfree() scratch before the function returns (#2, #3 and #4). > > 31 static int tpm2_key_encode(struct trusted_key_payload *payload, > 32 struct trusted_key_options *options, > 33 u8 *src, u32 len) > 34 { > 36 u8 *scratch = kmalloc(SCRATCH_SIZE, GFP_KERNEL); > // #1: kmalloc space > 37 u8 *work = scratch, *work1; > 50 if (!scratch) > 51 return -ENOMEM; > > 56 if (options->blobauth_len == 0) { > 60 if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) > 61 return PTR_ERR(w); // #2: missing kfree > 63 } > > 71 if (WARN(work - scratch + pub_len + priv_len + 14 > SCRATCH_SIZE, > 72 "BUG: scratch buffer is too small")) > 73 return -EINVAL; // #3: missing kfree > > // #4: missing kfree: scratch is never used afterwards. > 82 if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) > 83 return PTR_ERR(work1); > > 85 return work1 - payload->blob; > 86 } > > Signed-off-by: Jianglei Nie <niejianglei2021@163.com> I don't know that we need to keep the line by line recap in the full git log, but it def looks correct: Reviewed-by: Serge Hallyn <serge@hallyn.com> thanks, -serge > --- > security/keys/trusted-keys/trusted_tpm2.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c > index 0165da386289..3408a74c855f 100644 > --- a/security/keys/trusted-keys/trusted_tpm2.c > +++ b/security/keys/trusted-keys/trusted_tpm2.c > @@ -57,8 +57,10 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, > unsigned char bool[3], *w = bool; > /* tag 0 is emptyAuth */ > w = asn1_encode_boolean(w, w + sizeof(bool), true); > - if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) > + if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) { > + kfree(scratch); > return PTR_ERR(w); > + } > work = asn1_encode_tag(work, end_work, 0, bool, w - bool); > } > > @@ -69,9 +71,12 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, > * trigger, so if it does there's something nefarious going on > */ > if (WARN(work - scratch + pub_len + priv_len + 14 > SCRATCH_SIZE, > - "BUG: scratch buffer is too small")) > + "BUG: scratch buffer is too small")) { > + kfree(scratch); > return -EINVAL; > + } > > + kfree(scratch); > work = asn1_encode_integer(work, end_work, options->keyhandle); > work = asn1_encode_octet_string(work, end_work, pub, pub_len); > work = asn1_encode_octet_string(work, end_work, priv, priv_len); > -- > 2.25.1
On Sun, Dec 12, 2021 at 09:54:03PM +0800, Jianglei Nie wrote: > Line 36 (#1) allocates a memory chunk for scratch by kmalloc(), but > it is never freed through the function, which will lead to a memory > leak. > through the function => in the implementation Also, "line 36" is a relative to something, right? What is it? /Jarkko
diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c index 0165da386289..3408a74c855f 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -57,8 +57,10 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, unsigned char bool[3], *w = bool; /* tag 0 is emptyAuth */ w = asn1_encode_boolean(w, w + sizeof(bool), true); - if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) + if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) { + kfree(scratch); return PTR_ERR(w); + } work = asn1_encode_tag(work, end_work, 0, bool, w - bool); } @@ -69,9 +71,12 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, * trigger, so if it does there's something nefarious going on */ if (WARN(work - scratch + pub_len + priv_len + 14 > SCRATCH_SIZE, - "BUG: scratch buffer is too small")) + "BUG: scratch buffer is too small")) { + kfree(scratch); return -EINVAL; + } + kfree(scratch); work = asn1_encode_integer(work, end_work, options->keyhandle); work = asn1_encode_octet_string(work, end_work, pub, pub_len); work = asn1_encode_octet_string(work, end_work, priv, priv_len);
Line 36 (#1) allocates a memory chunk for scratch by kmalloc(), but it is never freed through the function, which will lead to a memory leak. We should kfree() scratch before the function returns (#2, #3 and #4). 31 static int tpm2_key_encode(struct trusted_key_payload *payload, 32 struct trusted_key_options *options, 33 u8 *src, u32 len) 34 { 36 u8 *scratch = kmalloc(SCRATCH_SIZE, GFP_KERNEL); // #1: kmalloc space 37 u8 *work = scratch, *work1; 50 if (!scratch) 51 return -ENOMEM; 56 if (options->blobauth_len == 0) { 60 if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) 61 return PTR_ERR(w); // #2: missing kfree 63 } 71 if (WARN(work - scratch + pub_len + priv_len + 14 > SCRATCH_SIZE, 72 "BUG: scratch buffer is too small")) 73 return -EINVAL; // #3: missing kfree // #4: missing kfree: scratch is never used afterwards. 82 if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) 83 return PTR_ERR(work1); 85 return work1 - payload->blob; 86 } Signed-off-by: Jianglei Nie <niejianglei2021@163.com> --- security/keys/trusted-keys/trusted_tpm2.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)