tpm: tpm_crb: Call acpi_put_table() on firmware bug

Message ID	20240531021021.2233654-1-dev@hattorij.com (mailing list archive)
State	New
Headers	show Received: from mail-pg1-f175.google.com (mail-pg1-f175.google.com [209.85.215.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0861C7EF for <linux-integrity@vger.kernel.org>; Sat, 1 Jun 2024 03:30:19 +0000 (UTC) From: Joe Hattori <dev@hattorij.com> To: peterhuewe@gmx.de, jarkko@kernel.org Cc: jgg@ziepe.ca, linux-integrity@vger.kernel.org, Joe Hattori <dev@hattorij.com> Subject: [PATCH] tpm: tpm_crb: Call acpi_put_table() on firmware bug Date: Fri, 31 May 2024 11:10:21 +0900 Message-Id: <20240531021021.2233654-1-dev@hattorij.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	tpm: tpm_crb: Call acpi_put_table() on firmware bug \| expand tpm: tpm_crb: Call acpi_put_table() on firmware bug

Message ID

20240531021021.2233654-1-dev@hattorij.com (mailing list archive)

State

New

Headers

From: Joe Hattori <dev@hattorij.com>
To: peterhuewe@gmx.de,
	jarkko@kernel.org
Cc: jgg@ziepe.ca,
	linux-integrity@vger.kernel.org,
	Joe Hattori <dev@hattorij.com>
Subject: [PATCH] tpm: tpm_crb: Call acpi_put_table() on firmware bug
Date: Fri, 31 May 2024 11:10:21 +0900
Message-Id: <20240531021021.2233654-1-dev@hattorij.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

tpm: tpm_crb: Call acpi_put_table() on firmware bug | expand

Commit Message

Joe Hattori May 31, 2024, 2:10 a.m. UTC

In `crb_acpi_add()`, we call `acpi_get_table()` to retrieve the ACPI
table entry. `acpi_put_table()` is called on the error path to avoid a
memory leak, but the current implementation does not call
`acpi_put_table()` when the `length` field of `struct acpi_table_header`
is not valid, which leads to a memory leak. Although this memory leak
only occurrs when the firmware misconfigured the ACPI table, it would
still be nice to have this fix.

Signed-off-by: Joe Hattori <dev@hattorij.com>
---
 drivers/char/tpm/tpm_crb.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

Jarkko Sakkinen June 4, 2024, 8:36 p.m. UTC | #1

On Fri May 31, 2024 at 5:10 AM EEST, Joe Hattori wrote:
> In `crb_acpi_add()`, we call `acpi_get_table()` to retrieve the ACPI
> table entry. `acpi_put_table()` is called on the error path to avoid a
> memory leak, but the current implementation does not call
> `acpi_put_table()` when the `length` field of `struct acpi_table_header`
> is not valid, which leads to a memory leak. Although this memory leak
> only occurrs when the firmware misconfigured the ACPI table, it would
> still be nice to have this fix.

1. Drop the hyphens.
2. Wouldn't it be memory corruption, and not a leak?
3. Why would ACPICA return corrupted data in this case?

BR, Jarkko

diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
index ea085b14ab7c..68fe28208331 100644
--- a/drivers/char/tpm/tpm_crb.c
+++ b/drivers/char/tpm/tpm_crb.c
@@ -738,10 +738,14 @@  static int crb_acpi_add(struct acpi_device *device)
 
 	status = acpi_get_table(ACPI_SIG_TPM2, 1,
 				(struct acpi_table_header **) &buf);
-	if (ACPI_FAILURE(status) || buf->header.length < sizeof(*buf)) {
+	if (ACPI_FAILURE(status)) {
 		dev_err(dev, FW_BUG "failed to get TPM2 ACPI table\n");
 		return -EINVAL;
 	}
+	if (buf->header.length < sizeof(*buf)) {
+		rc = -EINVAL;
+		goto out;
+	}
 
 	/* Should the FIFO driver handle this? */
 	sm = buf->start_method;

tpm: tpm_crb: Call acpi_put_table() on firmware bug

Commit Message

Comments

Patch