kernel-janitors.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Re: [PATCH] platform/x86/amd/pmf: Use memdup_user()
       [not found] <20240508094628.308221-2-thorsten.blum@toblux.com>
@ 2024-05-10 11:12 ` Markus Elfring
  2024-05-27  8:36   ` [PATCH v2] " Thorsten Blum
  0 siblings, 1 reply; 6+ messages in thread
From: Markus Elfring @ 2024-05-10 11:12 UTC (permalink / raw)
  To: Thorsten Blum, platform-driver-x86, kernel-janitors,
	Hans de Goede, Ilpo Järvinen, Shyam Sundar S K
  Cc: LKML

…
> Fixes the following Coccinelle/coccicheck warning …

Would a corresponding imperative wording be more desirable for such a change description?
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.9-rc7#n94

Regards,
Markus

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH v2] platform/x86/amd/pmf: Use memdup_user()
  2024-05-10 11:12 ` [PATCH] platform/x86/amd/pmf: Use memdup_user() Markus Elfring
@ 2024-05-27  8:36   ` Thorsten Blum
  2024-05-27 10:15     ` Ilpo Järvinen
  2024-05-27 10:38     ` Dan Carpenter
  0 siblings, 2 replies; 6+ messages in thread
From: Thorsten Blum @ 2024-05-27  8:36 UTC (permalink / raw)
  To: markus.elfring
  Cc: Shyam-sundar.S-k, hdegoede, ilpo.jarvinen, kernel-janitors,
	linux-kernel, platform-driver-x86, thorsten.blum

Switch to memdup_user() to overwrite the allocated memory only once
instead of initializing the allocated memory to zero with kzalloc() and
then immediately overwriting it with copy_from_user().

Fix the following Coccinelle/coccicheck warning reported by
memdup_user.cocci:

	WARNING opportunity for memdup_user

Signed-off-by: Thorsten Blum <thorsten.blum@toblux.com>
---
Changes in v2:
- Update patch description after feedback from Markus Elfring
---
 drivers/platform/x86/amd/pmf/tee-if.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/drivers/platform/x86/amd/pmf/tee-if.c b/drivers/platform/x86/amd/pmf/tee-if.c
index b438de4d6bfc..1b53cabc9aa2 100644
--- a/drivers/platform/x86/amd/pmf/tee-if.c
+++ b/drivers/platform/x86/amd/pmf/tee-if.c
@@ -301,14 +301,9 @@ static ssize_t amd_pmf_get_pb_data(struct file *filp, const char __user *buf,
 		return -EINVAL;
 
 	/* re-alloc to the new buffer length of the policy binary */
-	new_policy_buf = kzalloc(length, GFP_KERNEL);
-	if (!new_policy_buf)
-		return -ENOMEM;
-
-	if (copy_from_user(new_policy_buf, buf, length)) {
-		kfree(new_policy_buf);
-		return -EFAULT;
-	}
+	new_policy_buf = memdup_user(buf, length);
+	if (IS_ERR(new_policy_buf))
+		return PTR_ERR(new_policy_buf);
 
 	kfree(dev->policy_buf);
 	dev->policy_buf = new_policy_buf;
-- 
2.45.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH v2] platform/x86/amd/pmf: Use memdup_user()
  2024-05-27  8:36   ` [PATCH v2] " Thorsten Blum
@ 2024-05-27 10:15     ` Ilpo Järvinen
  2024-05-27 10:38     ` Dan Carpenter
  1 sibling, 0 replies; 6+ messages in thread
From: Ilpo Järvinen @ 2024-05-27 10:15 UTC (permalink / raw)
  To: markus.elfring, Thorsten Blum
  Cc: Shyam-sundar.S-k, hdegoede, kernel-janitors, linux-kernel,
	platform-driver-x86

On Mon, 27 May 2024 10:36:29 +0200, Thorsten Blum wrote:

> Switch to memdup_user() to overwrite the allocated memory only once
> instead of initializing the allocated memory to zero with kzalloc() and
> then immediately overwriting it with copy_from_user().
> 
> Fix the following Coccinelle/coccicheck warning reported by
> memdup_user.cocci:
> 
> [...]


Thank you for your contribution, it has been applied to my local
review-ilpo branch. Note it will show up in the public
platform-drivers-x86/review-ilpo branch only once I've pushed my
local branch there, which might take a while.

The list of commits applied:
[1/1] platform/x86/amd/pmf: Use memdup_user()
      commit: 46de513068f956b76d68d241a7ad6bc5576d2948

--
 i.


^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH v2] platform/x86/amd/pmf: Use memdup_user()
  2024-05-27  8:36   ` [PATCH v2] " Thorsten Blum
  2024-05-27 10:15     ` Ilpo Järvinen
@ 2024-05-27 10:38     ` Dan Carpenter
  2024-05-30 14:15       ` Thorsten Blum
  1 sibling, 1 reply; 6+ messages in thread
From: Dan Carpenter @ 2024-05-27 10:38 UTC (permalink / raw)
  To: Thorsten Blum
  Cc: markus.elfring, Shyam-sundar.S-k, hdegoede, ilpo.jarvinen,
	kernel-janitors, linux-kernel, platform-driver-x86

On Mon, May 27, 2024 at 10:36:29AM +0200, Thorsten Blum wrote:
> Switch to memdup_user() to overwrite the allocated memory only once
> instead of initializing the allocated memory to zero with kzalloc() and
> then immediately overwriting it with copy_from_user().
> 
> Fix the following Coccinelle/coccicheck warning reported by
> memdup_user.cocci:
> 
> 	WARNING opportunity for memdup_user
> 
> Signed-off-by: Thorsten Blum <thorsten.blum@toblux.com>
> ---
> Changes in v2:
> - Update patch description after feedback from Markus Elfring

Markus always CC's kernel-janitors even though I have asked him not to.
:(

> ---
>  drivers/platform/x86/amd/pmf/tee-if.c | 11 +++--------
>  1 file changed, 3 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/platform/x86/amd/pmf/tee-if.c b/drivers/platform/x86/amd/pmf/tee-if.c
> index b438de4d6bfc..1b53cabc9aa2 100644
> --- a/drivers/platform/x86/amd/pmf/tee-if.c
> +++ b/drivers/platform/x86/amd/pmf/tee-if.c
> @@ -301,14 +301,9 @@ static ssize_t amd_pmf_get_pb_data(struct file *filp, const char __user *buf,
>  		return -EINVAL;

This -EINVAL check could be made stricter.  Instead of checking for
zero it could check for the limit from amd_pmf_start_policy_engine():

	if (dev->policy_sz < POLICY_COOKIE_OFFSET + sizeof(*header))
		return -EINVAL;

Also this check isn't great:

	if (dev->policy_sz < header->length + 512)

header->length is a u32 that comes from the user, so the addition can
overflow.  I can't immediately see how to exploit this though since we
don't seem to use header->length after this (by itself).

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH v2] platform/x86/amd/pmf: Use memdup_user()
  2024-05-27 10:38     ` Dan Carpenter
@ 2024-05-30 14:15       ` Thorsten Blum
  2024-05-30 19:28         ` Dan Carpenter
  0 siblings, 1 reply; 6+ messages in thread
From: Thorsten Blum @ 2024-05-30 14:15 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: markus.elfring, Shyam-sundar.S-k, hdegoede, ilpo.jarvinen,
	kernel-janitors, linux-kernel, platform-driver-x86

Hi Dan,

On 27. May 2024, at 12:38, Dan Carpenter <dan.carpenter@linaro.org> wrote:
> Also this check isn't great:
> 
> if (dev->policy_sz < header->length + 512)
> 
> header->length is a u32 that comes from the user, so the addition can
> overflow.  I can't immediately see how to exploit this though since we
> don't seem to use header->length after this (by itself).

How about

	if (header->length > U32_MAX - 512 || dev->policy_sz < header->length + 512)
		return -EINVAL;

to prevent a possible overflow?

header->length is used in the next line

	dev->policy_sz = header->length + 512;

and if the addition overflows, we end up setting dev->policy_sz to an 
invalid value.

Thanks,
Thorsten

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH v2] platform/x86/amd/pmf: Use memdup_user()
  2024-05-30 14:15       ` Thorsten Blum
@ 2024-05-30 19:28         ` Dan Carpenter
  0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2024-05-30 19:28 UTC (permalink / raw)
  To: Thorsten Blum
  Cc: markus.elfring, Shyam-sundar.S-k, hdegoede, ilpo.jarvinen,
	kernel-janitors, linux-kernel, platform-driver-x86

On Thu, May 30, 2024 at 04:15:51PM +0200, Thorsten Blum wrote:
> Hi Dan,
> 
> On 27. May 2024, at 12:38, Dan Carpenter <dan.carpenter@linaro.org> wrote:
> > Also this check isn't great:
> > 
> > if (dev->policy_sz < header->length + 512)
> > 
> > header->length is a u32 that comes from the user, so the addition can
> > overflow.  I can't immediately see how to exploit this though since we
> > don't seem to use header->length after this (by itself).
> 
> How about
> 
> 	if (header->length > U32_MAX - 512 || dev->policy_sz < header->length + 512)
> 		return -EINVAL;
> 
> to prevent a possible overflow?

I've been thinking about this and actually we could do something simpler:

	if (dev->policy_sz < size_add(header->length, 512)) {

> 
> header->length is used in the next line
> 
> 	dev->policy_sz = header->length + 512;

Yeah, but it's not used by itself.  The "header->length + 512" has been
verified as a valid value whether it overflows or not.  Only
"header->length" is wrong.

> 
> and if the addition overflows, we end up setting dev->policy_sz to an 
> invalid value.

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-05-30 19:28 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20240508094628.308221-2-thorsten.blum@toblux.com>
2024-05-10 11:12 ` [PATCH] platform/x86/amd/pmf: Use memdup_user() Markus Elfring
2024-05-27  8:36   ` [PATCH v2] " Thorsten Blum
2024-05-27 10:15     ` Ilpo Järvinen
2024-05-27 10:38     ` Dan Carpenter
2024-05-30 14:15       ` Thorsten Blum
2024-05-30 19:28         ` Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).