From patchwork Mon May 7 09:58:41 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jens Wiklander X-Patchwork-Id: 10383815 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 4577160236 for ; Mon, 7 May 2018 10:00:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 37063289B2 for ; Mon, 7 May 2018 10:00:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2B16D289B5; Mon, 7 May 2018 10:00:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,MAILING_LIST_MULTI autolearn=ham version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 8458B289B2 for ; Mon, 7 May 2018 10:00:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=OFhiBif/aBmsM1xTjCFakUJYiNRJ0/8cV7bDT7TXQys=; b=OX6 +7tbG5Z4M9C0txazgZvHIxFoFxZ+yBofCsdFZjBKBwXdhHigQkCJrNFTNBn6IyLxBbnNzeobOR75F I98BDGvjyjBCZzLT+dLfCQn5rO3jqiF7fBxsIFWhsaEm+6ZRS7hbPjx3SxIIYKo6F22nZFGzZfyLb VisiSU5kZWpvpag++sNMiE+tKMWrNin82vz4FCW6HyONP1l+u96H+12VuahlOYzE69XslMOmb3oeg gU4+VTvGXizsYDbHRucAcE5RV+1V9rGIDDYneA4fq7V8gKYfpoW40a+rXNAW0MvNVdiCjluiL93xi 7kAmEOTN/MTE0eCXdCN1eTdbccAfatQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1fFcvz-0007fC-DM; Mon, 07 May 2018 09:59:55 +0000 Received: from mail-lf0-x241.google.com ([2a00:1450:4010:c07::241]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1fFcvv-0007dr-B2 for linux-arm-kernel@lists.infradead.org; Mon, 07 May 2018 09:59:53 +0000 Received: by mail-lf0-x241.google.com with SMTP id t129-v6so385479lff.3 for ; Mon, 07 May 2018 02:59:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=/yfNFmtgVPw0DaV6fRXM+Ot/FYPT6FHlWBdFPvmI4UI=; b=etjQbq9XRjm/YI0HAhsJjA4Vt7t9tL3RFffiPjtLWrCcACGknBanhTJwyy/eIpTTN5 /428PBeqDyziwp/J/Bfn351PWILvQhJhxOTFoADyOM9EhGh9oumGZmsyHjE1hTdTdQOv nG8NLDlS1M2YnkJ1Zr5q6lrNypuSDudB30DtM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=/yfNFmtgVPw0DaV6fRXM+Ot/FYPT6FHlWBdFPvmI4UI=; b=BjLA5b5j7jwbsmfvSj+Lr6Deq9SkyDoBKC6ly7O3CAT6hrcoO9VD5mPZWiyE3wiqUP IAczpP2zxPNTkemvTzsbsW2RNnZscrmFG4sBcTfeWTLX2C4R3gnHQtZcgkWyuUxJ3aG8 H6F9SMVl7qUhMk6o0poMl35kLWnKBqXuUC82ToY9sjJCQkCkfGR1JlP199mYS08kN6Lo EaIOlqmXjtYua4pUTjOdQtetc0G2XPR8fblXmxEKdz4CUTAJLZc3j1roY2/eftq3pLeH 9CoY7+On/Ho06WAk4Whc4BHJInENn2xQgKfia9MqD7xqYkT5AMBupVJVDWRL1TC1ve1s bYAg== X-Gm-Message-State: ALKqPwerFkGa8+hynTDuNXtuzdD3ttPcgGm5YMqDIrOc0jxkfj/eL9U/ 1IZ8Er1NNXg8LJY68I0HUpBZbQ== X-Google-Smtp-Source: AB8JxZoE45FVY3KzVcPhHKSsXLDEOg1WMbXa54qN6l16yiU9Q311QjaqVpifNtp+wMkhk5MER6mCLA== X-Received: by 2002:a19:1186:: with SMTP id 6-v6mr5290664lfr.134.1525687177846; Mon, 07 May 2018 02:59:37 -0700 (PDT) Received: from jax.urgonet (h-84-45.A175.priv.bahnhof.se. [79.136.84.45]) by smtp.gmail.com with ESMTPSA id g132-v6sm1371750lfg.23.2018.05.07.02.59.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 May 2018 02:59:37 -0700 (PDT) From: Jens Wiklander To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, tee-dev@lists.linaro.org Subject: [PATCH] tee: shm: fix use-after-free via temporarily dropped reference Date: Mon, 7 May 2018 11:58:41 +0200 Message-Id: <20180507095841.6452-1-jens.wiklander@linaro.org> X-Mailer: git-send-email 2.17.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180507_025951_394742_14A7AA0F X-CRM114-Status: GOOD ( 12.84 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jens Wiklander , Jann Horn MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP From: Jann Horn Bump the file's refcount before moving the reference into the fd table, not afterwards. The old code could drop the file's refcount to zero for a short moment before calling get_file() via get_dma_buf(). This code can only be triggered on ARM systems that use Linaro's OP-TEE. Fixes: 967c9cca2cc5 ("tee: generic TEE subsystem") Signed-off-by: Jann Horn Signed-off-by: Jens Wiklander Reviewed-by: Volodymyr Babchuk --- drivers/tee/tee_shm.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 556960a1bab3..07d3be6f0780 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -360,9 +360,10 @@ int tee_shm_get_fd(struct tee_shm *shm) if (!(shm->flags & TEE_SHM_DMA_BUF)) return -EINVAL; + get_dma_buf(shm->dmabuf); fd = dma_buf_fd(shm->dmabuf, O_CLOEXEC); - if (fd >= 0) - get_dma_buf(shm->dmabuf); + if (fd < 0) + dma_buf_put(shm->dmabuf); return fd; }