diff mbox series

tpm: tpm_crb: Call acpi_put_table() on firmware bug

Message ID 20240531021021.2233654-1-dev@hattorij.com (mailing list archive)
State New, archived
Headers show
Series tpm: tpm_crb: Call acpi_put_table() on firmware bug | expand

Commit Message

Joe Hattori May 31, 2024, 2:10 a.m. UTC
In `crb_acpi_add()`, we call `acpi_get_table()` to retrieve the ACPI
table entry. `acpi_put_table()` is called on the error path to avoid a
memory leak, but the current implementation does not call
`acpi_put_table()` when the `length` field of `struct acpi_table_header`
is not valid, which leads to a memory leak. Although this memory leak
only occurrs when the firmware misconfigured the ACPI table, it would
still be nice to have this fix.

Signed-off-by: Joe Hattori <dev@hattorij.com>
---
 drivers/char/tpm/tpm_crb.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

Jarkko Sakkinen June 4, 2024, 8:36 p.m. UTC | #1
On Fri May 31, 2024 at 5:10 AM EEST, Joe Hattori wrote:
> In `crb_acpi_add()`, we call `acpi_get_table()` to retrieve the ACPI
> table entry. `acpi_put_table()` is called on the error path to avoid a
> memory leak, but the current implementation does not call
> `acpi_put_table()` when the `length` field of `struct acpi_table_header`
> is not valid, which leads to a memory leak. Although this memory leak
> only occurrs when the firmware misconfigured the ACPI table, it would
> still be nice to have this fix.

1. Drop the hyphens.
2. Wouldn't it be memory corruption, and not a leak?
3. Why would ACPICA return corrupted data in this case?

BR, Jarkko
diff mbox series

Patch

diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
index ea085b14ab7c..68fe28208331 100644
--- a/drivers/char/tpm/tpm_crb.c
+++ b/drivers/char/tpm/tpm_crb.c
@@ -738,10 +738,14 @@  static int crb_acpi_add(struct acpi_device *device)
 
 	status = acpi_get_table(ACPI_SIG_TPM2, 1,
 				(struct acpi_table_header **) &buf);
-	if (ACPI_FAILURE(status) || buf->header.length < sizeof(*buf)) {
+	if (ACPI_FAILURE(status)) {
 		dev_err(dev, FW_BUG "failed to get TPM2 ACPI table\n");
 		return -EINVAL;
 	}
+	if (buf->header.length < sizeof(*buf)) {
+		rc = -EINVAL;
+		goto out;
+	}
 
 	/* Should the FIFO driver handle this? */
 	sm = buf->start_method;