[PATCH] TPM: Avoid reference to potentially freed memory

[PATCH] TPM: Avoid reference to potentially freed memory

[Christophe JAILLET]

Reference to the 'np' node is dropped before dereferencing the 'sizep' and
'basep' pointers, which could by then point to junk if the node has been
freed.

Refactor code to call 'of_node_pup' later.

Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
---
 drivers/char/tpm/tpm_of.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/char/tpm/tpm_of.c b/drivers/char/tpm/tpm_of.c
index 1141456..570f30c 100644
--- a/drivers/char/tpm/tpm_of.c
+++ b/drivers/char/tpm/tpm_of.c
@@ -53,17 +53,18 @@ int read_log(struct tpm_bios_log *log)
 		goto cleanup_eio;
 	}
 
-	of_node_put(np);
 	log->bios_event_log = kmalloc(*sizep, GFP_KERNEL);
 	if (!log->bios_event_log) {
 		pr_err("%s: ERROR - Not enough memory for BIOS measurements\n",
 		       __func__);
+		of_node_put(np);
 		return -ENOMEM;
 	}
 
 	log->bios_event_log_end = log->bios_event_log + *sizep;
 
 	memcpy(log->bios_event_log, __va(*basep), *sizep);
+	of_node_put(np);
 
 	return 0;
 
-- 
2.1.4

Re: [PATCH] TPM: Avoid reference to potentially freed memory

[Jarkko Sakkinen]

On Thu, Oct 22, 2015 at 10:32:41PM +0200, Christophe JAILLET wrote:
> Reference to the 'np' node is dropped before dereferencing the 'sizep' and
> 'basep' pointers, which could by then point to junk if the node has been
> freed.
> 
> Refactor code to call 'of_node_pup' later.
> 
> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

LGTM.

Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

> ---
>  drivers/char/tpm/tpm_of.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/char/tpm/tpm_of.c b/drivers/char/tpm/tpm_of.c
> index 1141456..570f30c 100644
> --- a/drivers/char/tpm/tpm_of.c
> +++ b/drivers/char/tpm/tpm_of.c
> @@ -53,17 +53,18 @@ int read_log(struct tpm_bios_log *log)
>  		goto cleanup_eio;
>  	}
>  
> -	of_node_put(np);
>  	log->bios_event_log = kmalloc(*sizep, GFP_KERNEL);
>  	if (!log->bios_event_log) {
>  		pr_err("%s: ERROR - Not enough memory for BIOS measurements\n",
>  		       __func__);
> +		of_node_put(np);
>  		return -ENOMEM;
>  	}
>  
>  	log->bios_event_log_end = log->bios_event_log + *sizep;
>  
>  	memcpy(log->bios_event_log, __va(*basep), *sizep);
> +	of_node_put(np);
>  
>  	return 0;
>  
> -- 
> 2.1.4
> 

/Jarkko

Re: [tpmdd-devel] [PATCH] TPM: Avoid reference to potentially freed memory

[Jarkko Sakkinen]

On Fri, Oct 23, 2015 at 10:37:33AM +0300, Jarkko Sakkinen wrote:
> On Thu, Oct 22, 2015 at 10:32:41PM +0200, Christophe JAILLET wrote:
> > Reference to the 'np' node is dropped before dereferencing the 'sizep' and
> > 'basep' pointers, which could by then point to junk if the node has been
> > freed.
> > 
> > Refactor code to call 'of_node_pup' later.
> > 
> > Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> 
> LGTM.

Is there anyone able to provide Tested-by for this?

Christophe, were you able to reproduce the crash (insmod/rmmod couple
of times maybe?) and validate that it was gone after fixing the bug?

> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

/Jarkko

Re: [tpmdd-devel] [PATCH] TPM: Avoid reference to potentially freed memory

[Marion & Christophe JAILLET]

Le 27/10/2015 11:27, Jarkko Sakkinen a écrit :
> On Fri, Oct 23, 2015 at 10:37:33AM +0300, Jarkko Sakkinen wrote:
>> On Thu, Oct 22, 2015 at 10:32:41PM +0200, Christophe JAILLET wrote:
>>> Reference to the 'np' node is dropped before dereferencing the 'sizep' and
>>> 'basep' pointers, which could by then point to junk if the node has been
>>> freed.
>>>
>>> Refactor code to call 'of_node_pup' later.
>>>
>>> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
>> LGTM.
> Is there anyone able to provide Tested-by for this?
>
> Christophe, were you able to reproduce the crash (insmod/rmmod couple
> of times maybe?) and validate that it was gone after fixing the bug?

Hi,
no, I never triggered the bug.
This is just something noticed while looking at potential issues related 
to incorrect use of 'of_node_pup'.
I only compile tested the patch.

Best regards,
CJ

>
>> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> /Jarkko
>

Re: [tpmdd-devel] [PATCH] TPM: Avoid reference to potentially freed memory

[Jarkko Sakkinen]

On Thu, Oct 29, 2015 at 07:12:01AM +0100, Marion & Christophe JAILLET wrote:
> 
> 
> Le 27/10/2015 11:27, Jarkko Sakkinen a écrit :
> >On Fri, Oct 23, 2015 at 10:37:33AM +0300, Jarkko Sakkinen wrote:
> >>On Thu, Oct 22, 2015 at 10:32:41PM +0200, Christophe JAILLET wrote:
> >>>Reference to the 'np' node is dropped before dereferencing the 'sizep' and
> >>>'basep' pointers, which could by then point to junk if the node has been
> >>>freed.
> >>>
> >>>Refactor code to call 'of_node_pup' later.
> >>>
> >>>Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> >>LGTM.
> >Is there anyone able to provide Tested-by for this?
> >
> >Christophe, were you able to reproduce the crash (insmod/rmmod couple
> >of times maybe?) and validate that it was gone after fixing the bug?
> 
> Hi,
> no, I never triggered the bug.
> This is just something noticed while looking at potential issues related to
> incorrect use of 'of_node_pup'.
> I only compile tested the patch.

The fix is so obvious that I see no reason not to include it. Thanks for
the good work.

> Best regards,
> CJ

/Jarkko

Re: [tpmdd-devel] [PATCH] TPM: Avoid reference to potentially freed memory

[Jarkko Sakkinen]

On Thu, Oct 29, 2015 at 12:48:44PM +0200, Jarkko Sakkinen wrote:
> On Thu, Oct 29, 2015 at 07:12:01AM +0100, Marion & Christophe JAILLET wrote:
> > 
> > 
> > Le 27/10/2015 11:27, Jarkko Sakkinen a écrit :
> > >On Fri, Oct 23, 2015 at 10:37:33AM +0300, Jarkko Sakkinen wrote:
> > >>On Thu, Oct 22, 2015 at 10:32:41PM +0200, Christophe JAILLET wrote:
> > >>>Reference to the 'np' node is dropped before dereferencing the 'sizep' and
> > >>>'basep' pointers, which could by then point to junk if the node has been
> > >>>freed.
> > >>>
> > >>>Refactor code to call 'of_node_pup' later.
> > >>>
> > >>>Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> > >>LGTM.
> > >Is there anyone able to provide Tested-by for this?
> > >
> > >Christophe, were you able to reproduce the crash (insmod/rmmod couple
> > >of times maybe?) and validate that it was gone after fixing the bug?
> > 
> > Hi,
> > no, I never triggered the bug.
> > This is just something noticed while looking at potential issues related to
> > incorrect use of 'of_node_pup'.
> > I only compile tested the patch.
> 
> The fix is so obvious that I see no reason not to include it. Thanks for
> the good work.

I'm getting

$ git am ~/tmp/of-fix.patch 
Applying: TPM: Avoid reference to potentially freed memory
error: patch failed: drivers/char/tpm/tpm_of.c:53
error: drivers/char/tpm/tpm_of.c: patch does not apply
Patch failed at 0001 TPM: Avoid reference to potentially freed memory
The copy of the patch that failed is found in:
   /home/jsakkine/projects/tpm2/git/linux-tpmdd/.git/rebase-apply/patch
   When you have resolved this problem, run "git am --continue".
   If you prefer to skip this patch, run "git am --skip" instead.
   To restore the original branch and stop patching, run "git am
   --abort".

I'm applying this against Linus tree (4.3-rc7).

/Jarkko