Commit 486dfde1 authored Apr 16, 2024 by Rijo Thomas Committed by Guo Mengqi Apr 16, 2024

tee: amdtee: fix use-after-free vulnerability in amdtee_close_session

stable inclusion
from stable-v5.10.199
commit da7ce52a2f6c468946195b116615297d3d113a27
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9AWJ5

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=da7ce52a2f6c468946195b116615297d3d113a27



--------------------------------

commit f4384b3e upstream.

There is a potential race condition in amdtee_close_session that may
cause use-after-free in amdtee_open_session. For instance, if a session
has refcount == 1, and one thread tries to free this session via:

    kref_put(&sess->refcount, destroy_session);

the reference count will get decremented, and the next step would be to
call destroy_session(). However, if in another thread,
amdtee_open_session() is called before destroy_session() has completed
execution, alloc_session() may return 'sess' that will be freed up
later in destroy_session() leading to use-after-free in
amdtee_open_session.

To fix this issue, treat decrement of sess->refcount and removal of
'sess' from session list in destroy_session() as a critical section, so
that it is executed atomically.

Fixes: 757cc3e9 ("tee: add AMD-TEE driver")
Cc: stable@vger.kernel.org
Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: sanglipeng <sanglipeng1@jd.com>

parent 9abaf1ed

drivers/tee/amdtee/core.c

+6 −4

Original line number	Diff line number	Diff line
		@@ -217,12 +217,12 @@ static int copy_ta_binary(struct tee_context ctx, void ptr, void **ta,
		return rc;
		}

		/* mutex must be held by caller */
		static void destroy_session(struct kref *ref)
		{
		struct amdtee_session *sess = container_of(ref, struct amdtee_session,
		refcount);

		mutex_lock(&session_list_mutex);
		list_del(&sess->list_node);
		mutex_unlock(&session_list_mutex);
		kfree(sess);
		@@ -277,7 +277,8 @@ int amdtee_open_session(struct tee_context *ctx,
		if (i >= TEE_NUM_SESSIONS) {
		pr_err("reached maximum session count %d\n", TEE_NUM_SESSIONS);
		handle_unload_ta(ta_handle);
		kref_put(&sess->refcount, destroy_session);
		kref_put_mutex(&sess->refcount, destroy_session,
		&session_list_mutex);
		rc = -ENOMEM;
		goto out;
		}
		@@ -290,7 +291,8 @@ int amdtee_open_session(struct tee_context *ctx,
		clear_bit(i, sess->sess_mask);
		spin_unlock(&sess->lock);
		handle_unload_ta(ta_handle);
		kref_put(&sess->refcount, destroy_session);
		kref_put_mutex(&sess->refcount, destroy_session,
		&session_list_mutex);
		goto out;
		}

		@@ -332,7 +334,7 @@ int amdtee_close_session(struct tee_context *ctx, u32 session)
		handle_close_session(ta_handle, session_info);
		handle_unload_ta(ta_handle);

		kref_put(&sess->refcount, destroy_session);
		kref_put_mutex(&sess->refcount, destroy_session, &session_list_mutex);

		return 0;
		}