Re: platform/x86: Add Intel Software Defined Silicon driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

On 2/24/22 23:25, Colin King (gmail) wrote:
> Hi,
> 
> Static analysis with clang scan has detected a potential issue in the following commit:
> 
> commit 2546c60004309ede8e2d1d5341e0decd90e057bf
> Author: David E. Box <david.e.box@xxxxxxxxxxxxxxx>
> Date:   Fri Feb 11 17:32:50 2022 -0800
> 
>     platform/x86: Add Intel Software Defined Silicon driver
> 
> The issue is as follows:
> 
> static int sdsi_mbox_read(struct sdsi_priv *priv, struct sdsi_mbox_info *info, size_t *data_size)
> {
>         int ret;
> 
>         lockdep_assert_held(&priv->mb_lock);
> 
>         ret = sdsi_mbox_acquire(priv, info);
>         if (ret)
>                 return ret;
> 
> Note: the return above does not assign a value to *data_size

And in this return ret != 0, so we have size==not-set, ret!=0

>         return sdsi_mbox_cmd_read(priv, info, data_size);
> }
> 
> 
> static long state_certificate_read(struct file *filp, struct kobject *kobj,
>                                    struct bin_attribute *attr, char *buf, loff_t off,
>                                    size_t count)
> {
>         struct device *dev = kobj_to_dev(kobj);
>         struct sdsi_priv *priv = dev_get_drvdata(dev);
>         u64 command = SDSI_CMD_READ_STATE;
>         struct sdsi_mbox_info info;
>         size_t size;
>                ^
> Note: size is not initialized
> 
>         int ret;
> 
>         if (!priv->sdsi_enabled)
>                 return -EPERM;
> 
>         if (off)
>                 return 0;
> 
>         /* Buffer for return data */
>         info.buffer = kmalloc(SDSI_SIZE_READ_MSG, GFP_KERNEL);
>         if (!info.buffer)
>                 return -ENOMEM;
> 
>         info.payload = &command;
>         info.size = sizeof(command);
> 
>         ret = mutex_lock_interruptible(&priv->mb_lock);
>         if (ret)
>                 goto free_buffer;
>         ret = sdsi_mbox_read(priv, &info, &size);
> 
> Note: a failure in scsi_mbox_read can lead to variable size not being assigned a value.

Right if that is true then the following still holds:

size==not-set, ret!=0

> 
>         mutex_unlock(&priv->mb_lock);
>         if (ret < 0)
>                 goto free_buffer;
> 
> Note: failure with ret < 0 going to free_buffer
> 
>         if (size > count)
>                 size = count;
> 
>         memcpy(buf, info.buffer, size);
> 
> free_buffer:
>         kfree(info.buffer);
> 
>         if (ret)
>                 return ret;

This is still valid here: size==not-set, ret!=0

so we hit the true path of the if and return ret, not size.

Regards,

Hans


> 
>         return size;
> 
> Note: uninitialized value in size being returned. This is an error.
> 
> }
>
[Index of Archives]     [Linux Kernel Development]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux