| Message ID | 20211220150635.8545-1-LinoSanfilippo@gmx.de |
|---|---|
| State | Accepted |
| Commit | eabad7ba2c752392ae50f24a795093fb115b686d |
| Headers | show |
| Series | [v2] tpm: fix potential NULL pointer access in tpm_del_char_device | expand |
On 12/20/21 10:06, Lino Sanfilippo wrote: > Some SPI controller drivers unregister the controller in the shutdown > handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave > chip->ops may be accessed when it is already NULL: > > At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down > TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration > tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device() > which tries to shut down TPM 2 again. Thereby it accesses chip->ops again: > (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which > calls chip->ops->clk_enable). > > Avoid the NULL pointer access by testing if chip->ops is valid and skipping > the TPM 2 shutdown procedure in case it is NULL. > > Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization") > Cc: stable@vger.kernel.org > Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de> > --- > > Changes to v2: > - rephrased the commit message to clarify the circumstances under which > this bug triggers (as requested by Jarkko) > > > I was able to reproduce this issue with a SLB 9670 TPM chip controlled by > a BCM2835 SPI controller. > > The approach to fix this issue in the BCM2835 driver was rejected after a > discussion on the mailing list: > > https://marc.info/?l=linux-integrity&m=163285906725367&w=2 > > The reason for the rejection was the realization, that this issue should rather > be fixed in the TPM code: > > https://marc.info/?l=linux-spi&m=163311087423271&w=2 > > So this is the reworked version of a patch that is supposed to do that. > > > drivers/char/tpm/tpm-chip.c | 16 +++++++++++----- > 1 file changed, 11 insertions(+), 5 deletions(-) > > diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c > index ddaeceb7e109..7960da490e72 100644 > --- a/drivers/char/tpm/tpm-chip.c > +++ b/drivers/char/tpm/tpm-chip.c > @@ -474,13 +474,19 @@ static void tpm_del_char_device(struct tpm_chip *chip) > > /* Make the driver uncallable. */ > down_write(&chip->ops_sem); > - if (chip->flags & TPM_CHIP_FLAG_TPM2) { > - if (!tpm_chip_start(chip)) { > - tpm2_shutdown(chip, TPM2_SU_CLEAR); > - tpm_chip_stop(chip); > + /* Check if chip->ops is still valid: In case that the controller > + * drivers shutdown handler unregisters the controller in its > + * shutdown handler we are called twice and chip->ops to NULL. > + */ > + if (chip->ops) { > + if (chip->flags & TPM_CHIP_FLAG_TPM2) { > + if (!tpm_chip_start(chip)) { > + tpm2_shutdown(chip, TPM2_SU_CLEAR); > + tpm_chip_stop(chip); > + } > } > + chip->ops = NULL; > } > - chip->ops = NULL; > up_write(&chip->ops_sem); > } > > > base-commit: a7904a538933c525096ca2ccde1e60d0ee62c08e Fixes: 39d0099f9439 ("powerpc/pseries: Add shutdown() to vio_driver and vio_bus") Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Hi Stefan, On 22.12.21 at 05:53, Stefan Berger wrote: >> >> drivers/char/tpm/tpm-chip.c | 16 +++++++++++----- >> 1 file changed, 11 insertions(+), 5 deletions(-) >> >> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c >> index ddaeceb7e109..7960da490e72 100644 >> --- a/drivers/char/tpm/tpm-chip.c >> +++ b/drivers/char/tpm/tpm-chip.c >> @@ -474,13 +474,19 @@ static void tpm_del_char_device(struct tpm_chip *chip) >> /* Make the driver uncallable. */ >> down_write(&chip->ops_sem); >> - if (chip->flags & TPM_CHIP_FLAG_TPM2) { >> - if (!tpm_chip_start(chip)) { >> - tpm2_shutdown(chip, TPM2_SU_CLEAR); >> - tpm_chip_stop(chip); >> + /* Check if chip->ops is still valid: In case that the controller >> + * drivers shutdown handler unregisters the controller in its >> + * shutdown handler we are called twice and chip->ops to NULL. >> + */ >> + if (chip->ops) { >> + if (chip->flags & TPM_CHIP_FLAG_TPM2) { >> + if (!tpm_chip_start(chip)) { >> + tpm2_shutdown(chip, TPM2_SU_CLEAR); >> + tpm_chip_stop(chip); >> + } >> } >> + chip->ops = NULL; >> } >> - chip->ops = NULL; >> up_write(&chip->ops_sem); >> } >> >> base-commit: a7904a538933c525096ca2ccde1e60d0ee62c08e > > > Fixes: 39d0099f9439 ("powerpc/pseries: Add shutdown() to vio_driver and vio_bus") > > Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> > > Tested-by: Stefan Berger <stefanb@linux.ibm.com> > > Thanks a lot for testing this. Best regards, Lino
On Mon, Dec 20, 2021 at 04:06:35PM +0100, Lino Sanfilippo wrote: > Some SPI controller drivers unregister the controller in the shutdown > handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave > chip->ops may be accessed when it is already NULL: > > At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down > TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration > tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device() > which tries to shut down TPM 2 again. Thereby it accesses chip->ops again: > (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which > calls chip->ops->clk_enable). > > Avoid the NULL pointer access by testing if chip->ops is valid and skipping > the TPM 2 shutdown procedure in case it is NULL. > > Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization") > Cc: stable@vger.kernel.org > Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de> Thank you. Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> BR, Jarkko
Hi, On 29.12.21 at 01:13, Jarkko Sakkinen wrote: > On Mon, Dec 20, 2021 at 04:06:35PM +0100, Lino Sanfilippo wrote: >> Some SPI controller drivers unregister the controller in the shutdown >> handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave >> chip->ops may be accessed when it is already NULL: >> >> At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down >> TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration >> tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device() >> which tries to shut down TPM 2 again. Thereby it accesses chip->ops again: >> (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which >> calls chip->ops->clk_enable). >> >> Avoid the NULL pointer access by testing if chip->ops is valid and skipping >> the TPM 2 shutdown procedure in case it is NULL. >> >> Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization") >> Cc: stable@vger.kernel.org >> Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de> > > Thank you. > > Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> > > BR, > Jarkko > Thanks a lot for the review. Please note that the latest version is v3 which contains one more Fixes tag and also a tag for the review by Stefan. I also adjusted the source code comment in that version which I somehow messed up in v2. Regards, Lino
On Wed, Dec 29, 2021 at 02:41:52AM +0100, Lino Sanfilippo wrote: > Hi, > > On 29.12.21 at 01:13, Jarkko Sakkinen wrote: > > On Mon, Dec 20, 2021 at 04:06:35PM +0100, Lino Sanfilippo wrote: > >> Some SPI controller drivers unregister the controller in the shutdown > >> handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave > >> chip->ops may be accessed when it is already NULL: > >> > >> At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down > >> TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration > >> tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device() > >> which tries to shut down TPM 2 again. Thereby it accesses chip->ops again: > >> (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which > >> calls chip->ops->clk_enable). > >> > >> Avoid the NULL pointer access by testing if chip->ops is valid and skipping > >> the TPM 2 shutdown procedure in case it is NULL. > >> > >> Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization") > >> Cc: stable@vger.kernel.org > >> Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de> > > > > Thank you. > > > > Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> > > > > BR, > > Jarkko > > > > Thanks a lot for the review. Please note that the latest version is v3 which > contains one more Fixes tag and also a tag for the review by Stefan. I also > adjusted the source code comment in that version which I somehow messed up in v2. Since there is no functional difference, I rather do not swap it. I fixed a glitch: + + /* A multi-line commit needs to have this as the very first line. You can check if the all tags were pulled by b4. /Jarkko
On 29.12.21 at 02:46, Jarkko Sakkinen wrote: > > Since there is no functional difference, I rather do not swap it. > > I fixed a glitch: > > + > + /* > > A multi-line commit needs to have this as the very first line. > You can check if the all tags were pulled by b4. > > /Jarkko > I see, thanks for fixing the comment then. Regards, Lino
diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index ddaeceb7e109..7960da490e72 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -474,13 +474,19 @@ static void tpm_del_char_device(struct tpm_chip *chip) /* Make the driver uncallable. */ down_write(&chip->ops_sem); - if (chip->flags & TPM_CHIP_FLAG_TPM2) { - if (!tpm_chip_start(chip)) { - tpm2_shutdown(chip, TPM2_SU_CLEAR); - tpm_chip_stop(chip); + /* Check if chip->ops is still valid: In case that the controller + * drivers shutdown handler unregisters the controller in its + * shutdown handler we are called twice and chip->ops to NULL. + */ + if (chip->ops) { + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + if (!tpm_chip_start(chip)) { + tpm2_shutdown(chip, TPM2_SU_CLEAR); + tpm_chip_stop(chip); + } } + chip->ops = NULL; } - chip->ops = NULL; up_write(&chip->ops_sem); }
Some SPI controller drivers unregister the controller in the shutdown handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave chip->ops may be accessed when it is already NULL: At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device() which tries to shut down TPM 2 again. Thereby it accesses chip->ops again: (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which calls chip->ops->clk_enable). Avoid the NULL pointer access by testing if chip->ops is valid and skipping the TPM 2 shutdown procedure in case it is NULL. Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization") Cc: stable@vger.kernel.org Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de> --- Changes to v2: - rephrased the commit message to clarify the circumstances under which this bug triggers (as requested by Jarkko) I was able to reproduce this issue with a SLB 9670 TPM chip controlled by a BCM2835 SPI controller. The approach to fix this issue in the BCM2835 driver was rejected after a discussion on the mailing list: https://marc.info/?l=linux-integrity&m=163285906725367&w=2 The reason for the rejection was the realization, that this issue should rather be fixed in the TPM code: https://marc.info/?l=linux-spi&m=163311087423271&w=2 So this is the reworked version of a patch that is supposed to do that. drivers/char/tpm/tpm-chip.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) base-commit: a7904a538933c525096ca2ccde1e60d0ee62c08e