mirror of
https://github.com/torvalds/linux.git
synced 2024-09-21 15:33:19 +00:00
Hi,
These are couple of bugs I found from trusted keys while working on a new asymmetric key type for TPM2 [1]. Both originate form v5.13. Memory leak is more crucial but I don't think it is either good idea if kernel throws WARN when ASN.1 parser fails, even if it is related to programming error, as it is not that mature code yet. There's at least two WARN's in that code but I picked just the one more likely to trigger. Planning to fix the other one too over time. BR, Jarkko [1] https://lore.kernel.org/linux-integrity/D1ERDC16XLUO.578U4ZE7VXW@kernel.org/T/#t -----BEGIN PGP SIGNATURE----- iJYEABYKAD4WIQRE6pSOnaBC00OEHEIaerohdGur0gUCZkvfBCAcamFya2tvLnNh a2tpbmVuQGxpbnV4LmludGVsLmNvbQAKCRAaerohdGur0mypAQDsbCs2LFnsfFSW UGlwwxUisQyzStrNx8n3L/1YdjLeDQD/Yxk4p6zsaQcfRSjZATRgtEKL1PJ/f8tQ Uibw1Fav0Qk= =uirQ -----END PGP SIGNATURE----- Merge tag 'keys-trusted-next-6.10-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd Pull trusted keys fixes from Jarkko Sakkinen: "These are two bugs I found from trusted keys while working on a new RSA key type for TPM2. Both originate form v5.13. The memory leak is more crucial but I don't think it is either good idea if kernel throws WARN when ASN.1 parser fails, even if it is related to programming error, as it is not that mature code yet. There's at least two WARN's in that code but I picked just the one more likely to trigger. Planning to fix the other one too over time" * tag 'keys-trusted-next-6.10-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd: KEYS: trusted: Do not use WARN when encode fails KEYS: trusted: Fix memory leak in tpm2_key_encode()
This commit is contained in:
commit
fa8151cabf
|
@ -38,6 +38,7 @@ static int tpm2_key_encode(struct trusted_key_payload *payload,
|
|||
u8 *end_work = scratch + SCRATCH_SIZE;
|
||||
u8 *priv, *pub;
|
||||
u16 priv_len, pub_len;
|
||||
int ret;
|
||||
|
||||
priv_len = get_unaligned_be16(src) + 2;
|
||||
priv = src;
|
||||
|
@ -57,8 +58,10 @@ static int tpm2_key_encode(struct trusted_key_payload *payload,
|
|||
unsigned char bool[3], *w = bool;
|
||||
/* tag 0 is emptyAuth */
|
||||
w = asn1_encode_boolean(w, w + sizeof(bool), true);
|
||||
if (WARN(IS_ERR(w), "BUG: Boolean failed to encode"))
|
||||
return PTR_ERR(w);
|
||||
if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) {
|
||||
ret = PTR_ERR(w);
|
||||
goto err;
|
||||
}
|
||||
work = asn1_encode_tag(work, end_work, 0, bool, w - bool);
|
||||
}
|
||||
|
||||
|
@ -69,8 +72,10 @@ static int tpm2_key_encode(struct trusted_key_payload *payload,
|
|||
* trigger, so if it does there's something nefarious going on
|
||||
*/
|
||||
if (WARN(work - scratch + pub_len + priv_len + 14 > SCRATCH_SIZE,
|
||||
"BUG: scratch buffer is too small"))
|
||||
return -EINVAL;
|
||||
"BUG: scratch buffer is too small")) {
|
||||
ret = -EINVAL;
|
||||
goto err;
|
||||
}
|
||||
|
||||
work = asn1_encode_integer(work, end_work, options->keyhandle);
|
||||
work = asn1_encode_octet_string(work, end_work, pub, pub_len);
|
||||
|
@ -79,10 +84,18 @@ static int tpm2_key_encode(struct trusted_key_payload *payload,
|
|||
work1 = payload->blob;
|
||||
work1 = asn1_encode_sequence(work1, work1 + sizeof(payload->blob),
|
||||
scratch, work - scratch);
|
||||
if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed"))
|
||||
return PTR_ERR(work1);
|
||||
if (IS_ERR(work1)) {
|
||||
ret = PTR_ERR(work1);
|
||||
pr_err("BUG: ASN.1 encoder failed with %d\n", ret);
|
||||
goto err;
|
||||
}
|
||||
|
||||
kfree(scratch);
|
||||
return work1 - payload->blob;
|
||||
|
||||
err:
|
||||
kfree(scratch);
|
||||
return ret;
|
||||
}
|
||||
|
||||
struct tpm2_key_context {
|
||||
|
|
Loading…
Reference in New Issue
Block a user