From patchwork Wed May  9 18:55:35 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tadeusz Struk <tadeusz.struk@intel.com>
X-Patchwork-Id: 10390633
Return-Path: <linux-integrity-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	4879960353 for <patchwork-linux-integrity@patchwork.kernel.org>;
	Wed,  9 May 2018 18:55:38 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 35FE9283E7
	for <patchwork-linux-integrity@patchwork.kernel.org>;
	Wed,  9 May 2018 18:55:38 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 29E8A28560; Wed,  9 May 2018 18:55:38 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C85AC283E7
	for <patchwork-linux-integrity@patchwork.kernel.org>;
	Wed,  9 May 2018 18:55:37 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S935561AbeEISzh (ORCPT
	<rfc822;patchwork-linux-integrity@patchwork.kernel.org>);
	Wed, 9 May 2018 14:55:37 -0400
Received: from mga18.intel.com ([134.134.136.126]:20787 "EHLO
	mga18.intel.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S935523AbeEISzg (ORCPT <rfc822; linux-integrity@vger.kernel.org>);
	Wed, 9 May 2018 14:55:36 -0400
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga003.jf.intel.com ([10.7.209.27])
	by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	09 May 2018 11:55:36 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.49,382,1520924400"; d="scan'208";a="49574094"
Received: from tstruk-mobl1.jf.intel.com ([10.7.196.162])
	by orsmga003.jf.intel.com with ESMTP; 09 May 2018 11:55:35 -0700
Subject: [PATCH] tpm: fix use after free in tpm2_load_context
From: Tadeusz Struk <tadeusz.struk@intel.com>
To: jarkko.sakkinen@linux.intel.com
Cc: jgg@ziepe.ca, linux-integrity@vger.kernel.org,
	tpmdd-devel@lists.sourceforge.net, tadeusz.struk@intel.com
Date: Wed, 09 May 2018 11:55:35 -0700
Message-ID: 
 <152589213590.23382.13567986597921947843.stgit@tstruk-mobl1.jf.intel.com>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
Sender: linux-integrity-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-integrity.vger.kernel.org>
X-Mailing-List: linux-integrity@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

If load context command returns with TPM2_RC_HANDLE or
TPM2_RC_REFERENCE_H0 then we have use after free in
line 114 and double free in 117.

Fixes: 4d57856a21ed2 ("tpm2: add session handle context saving and restoring to the space code")

Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
 drivers/char/tpm/tpm2-space.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c
index 4e4014eabdb9..6122d3276f72 100644
--- a/drivers/char/tpm/tpm2-space.c
+++ b/drivers/char/tpm/tpm2-space.c
@@ -102,8 +102,9 @@ static int tpm2_load_context(struct tpm_chip *chip, u8 *buf,
 		 * TPM_RC_REFERENCE_H0 means the session has been
 		 * flushed outside the space
 		 */
-		rc = -ENOENT;
+		*handle = 0;
 		tpm_buf_destroy(&tbuf);
+		return -ENOENT;
 	} else if (rc > 0) {
 		dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n",
 			 __func__, rc);