Message ID | 20240531021021.2233654-1-dev@hattorij.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | tpm: tpm_crb: Call acpi_put_table() on firmware bug | expand |
On Fri May 31, 2024 at 5:10 AM EEST, Joe Hattori wrote: > In `crb_acpi_add()`, we call `acpi_get_table()` to retrieve the ACPI > table entry. `acpi_put_table()` is called on the error path to avoid a > memory leak, but the current implementation does not call > `acpi_put_table()` when the `length` field of `struct acpi_table_header` > is not valid, which leads to a memory leak. Although this memory leak > only occurrs when the firmware misconfigured the ACPI table, it would > still be nice to have this fix. 1. Drop the hyphens. 2. Wouldn't it be memory corruption, and not a leak? 3. Why would ACPICA return corrupted data in this case? BR, Jarkko
diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index ea085b14ab7c..68fe28208331 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -738,10 +738,14 @@ static int crb_acpi_add(struct acpi_device *device) status = acpi_get_table(ACPI_SIG_TPM2, 1, (struct acpi_table_header **) &buf); - if (ACPI_FAILURE(status) || buf->header.length < sizeof(*buf)) { + if (ACPI_FAILURE(status)) { dev_err(dev, FW_BUG "failed to get TPM2 ACPI table\n"); return -EINVAL; } + if (buf->header.length < sizeof(*buf)) { + rc = -EINVAL; + goto out; + } /* Should the FIFO driver handle this? */ sm = buf->start_method;
In `crb_acpi_add()`, we call `acpi_get_table()` to retrieve the ACPI table entry. `acpi_put_table()` is called on the error path to avoid a memory leak, but the current implementation does not call `acpi_put_table()` when the `length` field of `struct acpi_table_header` is not valid, which leads to a memory leak. Although this memory leak only occurrs when the firmware misconfigured the ACPI table, it would still be nice to have this fix. Signed-off-by: Joe Hattori <dev@hattorij.com> --- drivers/char/tpm/tpm_crb.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)