From patchwork Mon May 7 09:58:41 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jens Wiklander X-Patchwork-Id: 135092 Delivered-To: patches@linaro.org Received: by 10.46.151.6 with SMTP id r6csp2967116lji; Mon, 7 May 2018 02:59:38 -0700 (PDT) X-Received: by 2002:a2e:9a82:: with SMTP id p2-v6mr23370068lji.110.1525687178118; Mon, 07 May 2018 02:59:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525687178; cv=none; d=google.com; s=arc-20160816; b=S5/rpA6V7qFYhDsRQBO1IviH4FuZKcAR+XYsO6JUYgRMUIe5WW93xlWAYa6XF3PdDV BJ1Qa4tb97Zven4ct03xMXMSPowwo8/saiDGTLdW1ZuKvw9F1B8M1viKdbQ18tBJhXVT N1faWAmf63fJYCcOL4CMmvM7Gb1DARSwT7wonR9ReTWdivrT3VcloBq/zJG2D/HdQINk 3/zj7ci8zg9+/Z1OT8zA4gml2rq2FSp06abIHaPgyWs1FtMUr9oAJV2icrK0W5f2FRn0 TEmj1MiOsVXGh8gMuQE2lgjphYMe+1geAa186KwkZfT7bQDb41Nt74VwPTXi5gu4i7y9 rf7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=/yfNFmtgVPw0DaV6fRXM+Ot/FYPT6FHlWBdFPvmI4UI=; b=UEZprOqfzg7Rge/SSQqvlCs/d4BkxxMzS8MCVUtXOkANOrMo0jixFELV1tnFOfSE/2 ZfpvWlL+PtGethAb0+4Pwd3nidpatPScEZFt0mXlQStpNAb2ChUz81HAkm2orM5MAU+R RCy4dVpGlKAJAYjyuclhynlVflEO2qiB7SvgFgzcgdoEIN8ZKzJz/bUdYABCLxVx8w8r GWk/3+7N03QeB/mHqZhdYo1DnxFlAn1p6otihKzULSsOjXT0c9XHbtqYDGacJ6NjneHr sNdI0txuDWTP5jeE7GB1tQaQlbQuEFBgJQlJfFzHVIRkpml4OT3T4PGhQIbjdLK2cvWb 94kQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=etjQbq9X; spf=pass (google.com: domain of jens.wiklander@linaro.org designates 209.85.220.65 as permitted sender) smtp.mailfrom=jens.wiklander@linaro.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id l18-v6sor1299830lfi.69.2018.05.07.02.59.38 for (Google Transport Security); Mon, 07 May 2018 02:59:38 -0700 (PDT) Received-SPF: pass (google.com: domain of jens.wiklander@linaro.org designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=etjQbq9X; spf=pass (google.com: domain of jens.wiklander@linaro.org designates 209.85.220.65 as permitted sender) smtp.mailfrom=jens.wiklander@linaro.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=/yfNFmtgVPw0DaV6fRXM+Ot/FYPT6FHlWBdFPvmI4UI=; b=etjQbq9XRjm/YI0HAhsJjA4Vt7t9tL3RFffiPjtLWrCcACGknBanhTJwyy/eIpTTN5 /428PBeqDyziwp/J/Bfn351PWILvQhJhxOTFoADyOM9EhGh9oumGZmsyHjE1hTdTdQOv nG8NLDlS1M2YnkJ1Zr5q6lrNypuSDudB30DtM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=/yfNFmtgVPw0DaV6fRXM+Ot/FYPT6FHlWBdFPvmI4UI=; b=WdnmM6IgoeSZ4DGn5UGc+4KOYozzYnAeDlHKC+crPKmdUuEWhIWiMwYqB3y6jGKZs9 ggLSI8wd1qypuFKTPMXBPEVMFXkzpupFtHJ8E92RoXxVVtq0QGHlg3+pzIEIPwAd+Ofy smvtb7lGhlwwj2R587mVyGYx3M+piytWRIrdsOvwV3/gcHYMYs5CapSHoEZp+mybA4BN K4VZKrz4hhY2DKQh3mfaHCTHbzGP9JFGPYvNpk+ajtf8G/vIX7EXKOsWaZXIr7M0UNRC MgWTqOr2zXzKKe74bJpNPVbmR9KmXCn4S7DfxQTtwz60RqmWHaC28hFv/AEDL0wXi6lr P29Q== X-Gm-Message-State: ALKqPwdts5pm+1MWh9J4+ot0y+8z5Oxw4ve79xVO5e/0bgkXo8H3v++C 2x0aVMzczb1JZuiGxsopTR4UrDZf X-Google-Smtp-Source: AB8JxZoE45FVY3KzVcPhHKSsXLDEOg1WMbXa54qN6l16yiU9Q311QjaqVpifNtp+wMkhk5MER6mCLA== X-Received: by 2002:a19:1186:: with SMTP id 6-v6mr5290664lfr.134.1525687177846; Mon, 07 May 2018 02:59:37 -0700 (PDT) Return-Path: Received: from jax.urgonet (h-84-45.A175.priv.bahnhof.se. [79.136.84.45]) by smtp.gmail.com with ESMTPSA id g132-v6sm1371750lfg.23.2018.05.07.02.59.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 May 2018 02:59:37 -0700 (PDT) From: Jens Wiklander To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, tee-dev@lists.linaro.org Cc: Jann Horn , Jens Wiklander Subject: [PATCH] tee: shm: fix use-after-free via temporarily dropped reference Date: Mon, 7 May 2018 11:58:41 +0200 Message-Id: <20180507095841.6452-1-jens.wiklander@linaro.org> X-Mailer: git-send-email 2.17.0 From: Jann Horn Bump the file's refcount before moving the reference into the fd table, not afterwards. The old code could drop the file's refcount to zero for a short moment before calling get_file() via get_dma_buf(). This code can only be triggered on ARM systems that use Linaro's OP-TEE. Fixes: 967c9cca2cc5 ("tee: generic TEE subsystem") Signed-off-by: Jann Horn Signed-off-by: Jens Wiklander --- drivers/tee/tee_shm.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.17.0 Reviewed-by: Volodymyr Babchuk diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 556960a1bab3..07d3be6f0780 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -360,9 +360,10 @@ int tee_shm_get_fd(struct tee_shm *shm) if (!(shm->flags & TEE_SHM_DMA_BUF)) return -EINVAL; + get_dma_buf(shm->dmabuf); fd = dma_buf_fd(shm->dmabuf, O_CLOEXEC); - if (fd >= 0) - get_dma_buf(shm->dmabuf); + if (fd < 0) + dma_buf_put(shm->dmabuf); return fd; }