| Message ID | 20220722082125.2526529-1-niejianglei2021@163.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | [v3] KEYS: trusted: Fix memory leak in tpm2_key_encode() | expand |
On Fri, Jul 22, 2022 at 04:21:25PM +0800, Jianglei Nie wrote: > tpm2_key_encode() allocates a memory chunk from scratch with kmalloc(), > but it is never freed, which leads to a memory leak. Free the memory > chunk with kfree() in the return path. > > Fixes: f2219745250f ("security: keys: trusted: use ASN.1 TPM2 key format for the blobs") > Signed-off-by: Jianglei Nie <niejianglei2021@163.com> > --- The change log is missing. I have no idea what happened in v2 and v3. > security/keys/trusted-keys/trusted_tpm2.c | 33 ++++++++++++++++------- > 1 file changed, 23 insertions(+), 10 deletions(-) > > diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c > index 2b2c8eb258d5..eb25c784b5c3 100644 > --- a/security/keys/trusted-keys/trusted_tpm2.c > +++ b/security/keys/trusted-keys/trusted_tpm2.c > @@ -32,8 +32,13 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, > struct trusted_key_options *options, > u8 *src, u32 len) > { > + int ret; > const int SCRATCH_SIZE = PAGE_SIZE; > - u8 *scratch = kmalloc(SCRATCH_SIZE, GFP_KERNEL); > + u8 *scratch; > + > + scratch = kmalloc(SCRATCH_SIZE, GFP_KERNEL); > + if (!scratch) > + return -ENOMEM; > u8 *work = scratch, *work1; > u8 *end_work = scratch + SCRATCH_SIZE; > u8 *priv, *pub; > @@ -47,9 +52,6 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, > pub_len = get_unaligned_be16(src) + 2; > pub = src; > > - if (!scratch) > - return -ENOMEM; > - > work = asn1_encode_oid(work, end_work, tpm2key_oid, > asn1_oid_len(tpm2key_oid)); > > @@ -57,8 +59,10 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, > unsigned char bool[3], *w = bool; > /* tag 0 is emptyAuth */ > w = asn1_encode_boolean(w, w + sizeof(bool), true); > - if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) > - return PTR_ERR(w); > + if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) { > + ret = PTR_ERR(w); > + goto err; > + } > work = asn1_encode_tag(work, end_work, 0, bool, w - bool); > } > > @@ -69,8 +73,10 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, > * trigger, so if it does there's something nefarious going on > */ > if (WARN(work - scratch + pub_len + priv_len + 14 > SCRATCH_SIZE, > - "BUG: scratch buffer is too small")) > - return -EINVAL; > + "BUG: scratch buffer is too small")) { > + ret = -EINVAL; > + goto err; > + } > > work = asn1_encode_integer(work, end_work, options->keyhandle); > work = asn1_encode_octet_string(work, end_work, pub, pub_len); > @@ -79,10 +85,17 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, > work1 = payload->blob; > work1 = asn1_encode_sequence(work1, work1 + sizeof(payload->blob), > scratch, work - scratch); > - if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) > - return PTR_ERR(work1); > + if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) { > + ret = PTR_ERR(work1); > + goto err; > + } > > + kfree(scratch); > return work1 - payload->blob; > + > +err: > + kfree(scratch); > + return ret; > } > > struct tpm2_key_context { > -- > 2.25.1 > BR, Jarkko
diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c index 2b2c8eb258d5..eb25c784b5c3 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -32,8 +32,13 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, struct trusted_key_options *options, u8 *src, u32 len) { + int ret; const int SCRATCH_SIZE = PAGE_SIZE; - u8 *scratch = kmalloc(SCRATCH_SIZE, GFP_KERNEL); + u8 *scratch; + + scratch = kmalloc(SCRATCH_SIZE, GFP_KERNEL); + if (!scratch) + return -ENOMEM; u8 *work = scratch, *work1; u8 *end_work = scratch + SCRATCH_SIZE; u8 *priv, *pub; @@ -47,9 +52,6 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, pub_len = get_unaligned_be16(src) + 2; pub = src; - if (!scratch) - return -ENOMEM; - work = asn1_encode_oid(work, end_work, tpm2key_oid, asn1_oid_len(tpm2key_oid)); @@ -57,8 +59,10 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, unsigned char bool[3], *w = bool; /* tag 0 is emptyAuth */ w = asn1_encode_boolean(w, w + sizeof(bool), true); - if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) - return PTR_ERR(w); + if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) { + ret = PTR_ERR(w); + goto err; + } work = asn1_encode_tag(work, end_work, 0, bool, w - bool); } @@ -69,8 +73,10 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, * trigger, so if it does there's something nefarious going on */ if (WARN(work - scratch + pub_len + priv_len + 14 > SCRATCH_SIZE, - "BUG: scratch buffer is too small")) - return -EINVAL; + "BUG: scratch buffer is too small")) { + ret = -EINVAL; + goto err; + } work = asn1_encode_integer(work, end_work, options->keyhandle); work = asn1_encode_octet_string(work, end_work, pub, pub_len); @@ -79,10 +85,17 @@ static int tpm2_key_encode(struct trusted_key_payload *payload, work1 = payload->blob; work1 = asn1_encode_sequence(work1, work1 + sizeof(payload->blob), scratch, work - scratch); - if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) - return PTR_ERR(work1); + if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) { + ret = PTR_ERR(work1); + goto err; + } + kfree(scratch); return work1 - payload->blob; + +err: + kfree(scratch); + return ret; } struct tpm2_key_context {
tpm2_key_encode() allocates a memory chunk from scratch with kmalloc(), but it is never freed, which leads to a memory leak. Free the memory chunk with kfree() in the return path. Fixes: f2219745250f ("security: keys: trusted: use ASN.1 TPM2 key format for the blobs") Signed-off-by: Jianglei Nie <niejianglei2021@163.com> --- security/keys/trusted-keys/trusted_tpm2.c | 33 ++++++++++++++++------- 1 file changed, 23 insertions(+), 10 deletions(-)