From nobody Sun Jun 28 05:35:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B00B6C433F5 for ; Fri, 11 Feb 2022 22:00:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345814AbiBKWAa (ORCPT ); Fri, 11 Feb 2022 17:00:30 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:35724 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345375AbiBKWAT (ORCPT ); Fri, 11 Feb 2022 17:00:19 -0500 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7F5B8C75; Fri, 11 Feb 2022 14:00:17 -0800 (PST) Date: Fri, 11 Feb 2022 22:00:15 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1644616816; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lKd8q2+J3VOSwegSadHlfeWHmE9sZZFjkJGUTPDB8N0=; b=beAZlOqYihCa1r6LpMUoQk6XV2cHk3e7TgO6huaMgm5T4SFVs5tZx1fua9KlF0XDxpyPF0 hDOPJkuqyhchvXKAmzlSvpUU+yZPs3KjBG4UHLVn0BFfPJLB4W882vJLUJ/JuDvQJMR6HD H0Medtv3hVm/iOxJmjnZXYVgYgen9wHRysnQQz2LvNB4yhF+EbhOf5QNen8QC8VgHesjN7 Ed9y3mDuELUdERxFNl3yPuD4GT4zZkat4ENpafom51QZrvI8bAF7RNh9KIDE7hM4vOGaUL lefq2CXTcAWxRDBJCQAR3YhWAPGDtnzrwgg2piEcQw2JJQa0DqjsdN1+m65/mA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1644616816; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lKd8q2+J3VOSwegSadHlfeWHmE9sZZFjkJGUTPDB8N0=; b=Ejrc2oMxkKHq8sC0crD+FeUfav+jwSEi4FkhNzzNoe3Cet7pXslELM8D1Y+gjm6FMf30xh TdJqPg/iPSxP0aAA== From: "tip-bot2 for Reinette Chatre" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: x86/sgx] selftests/sgx: Fix NULL-pointer-dereference upon early test failure Cc: Reinette Chatre , Dave Hansen , Shuah Khan , x86@kernel.org, linux-kernel@vger.kernel.org In-Reply-To: =?utf-8?q?=3C90a31dfd640ea756fa324712e7cbab4a90fa7518=2E16443?= =?utf-8?q?55600=2Egit=2Ereinette=2Echatre=40intel=2Ecom=3E?= References: =?utf-8?q?=3C90a31dfd640ea756fa324712e7cbab4a90fa7518=2E164435?= =?utf-8?q?5600=2Egit=2Ereinette=2Echatre=40intel=2Ecom=3E?= MIME-Version: 1.0 Message-ID: <164461681510.16921.7342982385624280943.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The following commit has been merged into the x86/sgx branch of tip: Commit-ID: 2d03861e0d1d1ee81efc59338101cdd86a7474f6 Gitweb: https://git.kernel.org/tip/2d03861e0d1d1ee81efc59338101cdd86= a7474f6 Author: Reinette Chatre AuthorDate: Tue, 08 Feb 2022 13:48:39 -08:00 Committer: Dave Hansen CommitterDate: Fri, 11 Feb 2022 13:52:47 -08:00 selftests/sgx: Fix NULL-pointer-dereference upon early test failure =3D=3D Background =3D=3D The SGX selftests track parts of the enclave binaries in an array: encl->segment_tbl[]. That array is dynamically allocated early (but not first) in the test's lifetime. The array is referenced at the end of the test in encl_delete(). =3D=3D Problem =3D=3D encl->segment_tbl[] can be NULL if the test fails before its allocation. That leads to a NULL-pointer-dereference in encl_delete(). This is triggered during early failures of the selftest like if the enclave binary ("test_encl.elf") is deleted. =3D=3D Solution =3D=3D Ensure encl->segment_tbl[] is valid before attempting to access its members. The offset with which it is accessed, encl->nr_segments, is initialized before encl->segment_tbl[] and thus considered valid to use after the encl->segment_tbl[] check succeeds. Fixes: 3200505d4de6 ("selftests/sgx: Create a heap for the test enclave") Signed-off-by: Reinette Chatre Signed-off-by: Dave Hansen Acked-by: Shuah Khan Link: https://lkml.kernel.org/r/90a31dfd640ea756fa324712e7cbab4a90fa7518.16= 44355600.git.reinette.chatre@intel.com --- tools/testing/selftests/sgx/load.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/sgx/load.c b/tools/testing/selftests/s= gx/load.c index 9d4322c..006b464 100644 --- a/tools/testing/selftests/sgx/load.c +++ b/tools/testing/selftests/sgx/load.c @@ -21,7 +21,7 @@ =20 void encl_delete(struct encl *encl) { - struct encl_segment *heap_seg =3D &encl->segment_tbl[encl->nr_segments - = 1]; + struct encl_segment *heap_seg; =20 if (encl->encl_base) munmap((void *)encl->encl_base, encl->encl_size); @@ -32,10 +32,11 @@ void encl_delete(struct encl *encl) if (encl->fd) close(encl->fd); =20 - munmap(heap_seg->src, heap_seg->size); - - if (encl->segment_tbl) + if (encl->segment_tbl) { + heap_seg =3D &encl->segment_tbl[encl->nr_segments - 1]; + munmap(heap_seg->src, heap_seg->size); free(encl->segment_tbl); + } =20 memset(encl, 0, sizeof(*encl)); }