From: Jianglei Nie <niejianglei2021@163.com>
To: jejb@linux.ibm.com, jarkko@kernel.org, zohar@linux.ibm.com,
dhowells@redhat.com, jmorris@namei.org, serge@hallyn.com
Cc: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
Jianglei Nie <niejianglei2021@163.com>
Subject: [PATCH] security:trusted_tpm2: Fix memory leak in tpm2_key_encode()
Date: Tue, 7 Jun 2022 15:46:50 +0800 [thread overview]
Message-ID: <20220607074650.432834-1-niejianglei2021@163.com> (raw)
The function allocates a memory chunk for scratch by kmalloc(), but
it is never freed through the function, which leads to a memory leak.
Handle those cases with kfree().
Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
---
security/keys/trusted-keys/trusted_tpm2.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c
index 0165da386289..dc9efd6c8b14 100644
--- a/security/keys/trusted-keys/trusted_tpm2.c
+++ b/security/keys/trusted-keys/trusted_tpm2.c
@@ -57,8 +57,10 @@ static int tpm2_key_encode(struct trusted_key_payload *payload,
unsigned char bool[3], *w = bool;
/* tag 0 is emptyAuth */
w = asn1_encode_boolean(w, w + sizeof(bool), true);
- if (WARN(IS_ERR(w), "BUG: Boolean failed to encode"))
+ if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) {
+ kfree(scratch);
return PTR_ERR(w);
+ }
work = asn1_encode_tag(work, end_work, 0, bool, w - bool);
}
@@ -69,8 +71,10 @@ static int tpm2_key_encode(struct trusted_key_payload *payload,
* trigger, so if it does there's something nefarious going on
*/
if (WARN(work - scratch + pub_len + priv_len + 14 > SCRATCH_SIZE,
- "BUG: scratch buffer is too small"))
+ "BUG: scratch buffer is too small")) {
+ kfree(scratch);
return -EINVAL;
+ }
work = asn1_encode_integer(work, end_work, options->keyhandle);
work = asn1_encode_octet_string(work, end_work, pub, pub_len);
@@ -79,8 +83,10 @@ static int tpm2_key_encode(struct trusted_key_payload *payload,
work1 = payload->blob;
work1 = asn1_encode_sequence(work1, work1 + sizeof(payload->blob),
scratch, work - scratch);
- if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed"))
+ if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) {
+ kfree(scratch);
return PTR_ERR(work1);
+ }
return work1 - payload->blob;
}
--
2.25.1
next reply other threads:[~2022-06-07 8:02 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-07 7:46 Jianglei Nie [this message]
2022-06-07 8:34 ` [PATCH] security:trusted_tpm2: Fix memory leak in tpm2_key_encode() Ahmad Fatoum
2022-06-07 10:09 ` Jarkko Sakkinen
-- strict thread matches above, loose matches on Subject: below --
2022-06-08 2:59 Jianglei Nie
2022-06-08 8:00 ` Jarkko Sakkinen
2022-06-08 8:29 ` Ahmad Fatoum
2021-12-21 8:54 Jianglei Nie
2021-12-29 0:08 ` Jarkko Sakkinen
2021-12-12 13:54 Jianglei Nie
2021-12-12 21:21 ` Serge E. Hallyn
2021-12-21 8:33 ` Jarkko Sakkinen
2021-11-24 16:43 Jianglei Nie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220607074650.432834-1-niejianglei2021@163.com \
--to=niejianglei2021@163.com \
--cc=dhowells@redhat.com \
--cc=jarkko@kernel.org \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.