[PATCH] KEYS: trusted: fix a couple error pointer dereferences

Serge E. Hallyn serge at hallyn.com
Wed Apr 14 14:07:34 UTC 2021 

On Wed, Apr 14, 2021 at 09:08:58AM +0300, Dan Carpenter wrote:
> If registering "reg_shm_out" fails, then it is an error pointer and the
> error handling will call tee_shm_free(reg_shm_out) which leads to an
> error pointer dereference and an Oops.
> 
> I've re-arranged it so we only free things that have been allocated
> successfully.
> 
> Fixes: 6dd95e650c8a ("KEYS: trusted: Introduce TEE based Trusted Keys")
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
> ---
>  security/keys/trusted-keys/trusted_tee.c | 24 ++++++++++--------------
>  1 file changed, 10 insertions(+), 14 deletions(-)
> 
> diff --git a/security/keys/trusted-keys/trusted_tee.c b/security/keys/trusted-keys/trusted_tee.c
> index 2ce66c199e1d..45f96f6ed673 100644
> --- a/security/keys/trusted-keys/trusted_tee.c
> +++ b/security/keys/trusted-keys/trusted_tee.c
> @@ -65,7 +65,7 @@ static int trusted_tee_seal(struct trusted_key_payload *p, char *datablob)
>  	int ret;
>  	struct tee_ioctl_invoke_arg inv_arg;
>  	struct tee_param param[4];
> -	struct tee_shm *reg_shm_in = NULL, *reg_shm_out = NULL;
> +	struct tee_shm *reg_shm_in, *reg_shm_out;

I don't have this file (trusted_tee.c) in my tree and there's no lore
link here to previous what threads this depends on.  Based on the
context I can't verify that reg_shm_in will always be initialized
before you get to the free_shm_in label.

>  
>  	memset(&inv_arg, 0, sizeof(inv_arg));
>  	memset(&param, 0, sizeof(param));
> @@ -84,7 +84,7 @@ static int trusted_tee_seal(struct trusted_key_payload *p, char *datablob)
>  	if (IS_ERR(reg_shm_out)) {
>  		dev_err(pvt_data.dev, "blob shm register failed\n");
>  		ret = PTR_ERR(reg_shm_out);
> -		goto out;
> +		goto free_shm_in;
>  	}
>  
>  	inv_arg.func = TA_CMD_SEAL;
> @@ -109,11 +109,9 @@ static int trusted_tee_seal(struct trusted_key_payload *p, char *datablob)
>  		p->blob_len = param[1].u.memref.size;
>  	}
>  
> -out:
> -	if (reg_shm_out)
> -		tee_shm_free(reg_shm_out);
> -	if (reg_shm_in)
> -		tee_shm_free(reg_shm_in);
> +	tee_shm_free(reg_shm_out);
> +free_shm_in:
> +	tee_shm_free(reg_shm_in);
>  
>  	return ret;
>  }
> @@ -126,7 +124,7 @@ static int trusted_tee_unseal(struct trusted_key_payload *p, char *datablob)
>  	int ret;
>  	struct tee_ioctl_invoke_arg inv_arg;
>  	struct tee_param param[4];
> -	struct tee_shm *reg_shm_in = NULL, *reg_shm_out = NULL;
> +	struct tee_shm *reg_shm_in, *reg_shm_out;
>  
>  	memset(&inv_arg, 0, sizeof(inv_arg));
>  	memset(&param, 0, sizeof(param));
> @@ -145,7 +143,7 @@ static int trusted_tee_unseal(struct trusted_key_payload *p, char *datablob)
>  	if (IS_ERR(reg_shm_out)) {
>  		dev_err(pvt_data.dev, "key shm register failed\n");
>  		ret = PTR_ERR(reg_shm_out);
> -		goto out;
> +		goto free_shm_in;
>  	}
>  
>  	inv_arg.func = TA_CMD_UNSEAL;
> @@ -170,11 +168,9 @@ static int trusted_tee_unseal(struct trusted_key_payload *p, char *datablob)
>  		p->key_len = param[1].u.memref.size;
>  	}
>  
> -out:
> -	if (reg_shm_out)
> -		tee_shm_free(reg_shm_out);
> -	if (reg_shm_in)
> -		tee_shm_free(reg_shm_in);
> +	tee_shm_free(reg_shm_out);
> +free_shm_in:
> +	tee_shm_free(reg_shm_in);
>  
>  	return ret;
>  }
> -- 
> 2.30.2

More information about the Linux-security-module-archive mailing list