From patchwork Fri Sep 10 18:04:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lino Sanfilippo X-Patchwork-Id: 12485659 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MIME_BASE64_TEXT,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19653C433FE for ; Fri, 10 Sep 2021 18:06:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E8764611CC for ; Fri, 10 Sep 2021 18:06:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230300AbhIJSHx (ORCPT ); Fri, 10 Sep 2021 14:07:53 -0400 Received: from mout.gmx.net ([212.227.17.21]:56217 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229523AbhIJSHv (ORCPT ); Fri, 10 Sep 2021 14:07:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1631297194; bh=jW448sTpnZDFN8QUPHirb3j8PtdVPnlNAfzumAnRlCg=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=Sau4UFrV1U7CBrV2HCXYodO7ioryBw4nIq8GJ1aaA8kqGW8lpg3L+MjQlvtGVDHXn wUkJNohBXkfHLtF0JztEhkYssG06zefT0J2BYPiPcslOfLp9sgJZklUrIxeF7CrRH+ XGxY1JOiQl7rixTkCThbeODPA2uS4X0uaW05SUYw= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from Venus.fritz.box ([46.223.119.124]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MI5QF-1mBqLm3a35-00FDr0; Fri, 10 Sep 2021 20:06:33 +0200 From: Lino Sanfilippo To: peterhuewe@gmx.de, jarkko@kernel.org, jgg@ziepe.ca Cc: p.rosenberger@kunbus.com, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, Lino Sanfilippo , stable@vger.kernel.org Subject: [PATCH] tpm: fix potential NULL pointer access in tpm_del_char_device() Date: Fri, 10 Sep 2021 20:04:51 +0200 Message-Id: <20210910180451.19314-1-LinoSanfilippo@gmx.de> X-Mailer: git-send-email 2.33.0 MIME-Version: 1.0 X-Provags-ID: V03:K1:0DM/eQqN4B/1MK1yjszEd9wMzscabNNp2hctTNBF7BDsN95RFlQ QWE+gJIP3x2739QCpvtIJzyyKQZIzXFtI+jVuMjK0ACVMwqJeyhljcXOjcafP4jygrwv5FG nFJdANsr9U5EmnW1j7ECFEpNwqp2bIDwvVO4VQMLeGWOcDscODIK9lUSI0ILISyt+yGZNGs AMYUpbrDi7PQlra3XfsEA== X-UI-Out-Filterresults: notjunk:1;V03:K0:ddwqrUnKMt8=:c+XWJ89mC6OfwVzn2Fp3SF 3+8f26ajiFtiXxhy2grMmNV7HAVKIztaqu3nDu/fzeOruDBRnDbXB5GkHHjbB3hRZ4X55fEQS /pfw1aihg5hbhoCStwl1T5VjRVatXP2Qy9fULL2ZseY+w8gL0IYaLUhxRxZ4iVZGA2tdEv6Z/ batx1CS4Vvruaz/UnQb0w14eeJCAbdOH8or9yLAwPrdtTvvqMM8Ly9/0U/UH+8EQL7Wst/1m4 a89UlXwDXdPyBFYUI185mf54o2IOCn85gDP3r8N2eAyD8ZbJ3zpA2L0ZFrbZI3QF8EQ5LCkta OAMzN0OJ7mlqYrzmahKYEOwYXQ+FyHoIv+5VvKm5jAdDjftAf6B0VNpo1B7uxgDbM1JqU8XBe MqVTj7vrDHZdD0UHInRDiRJ7lFJYOKRZjnfM5VwgTLQcMhfzhwVJQGpaoJu97egPJiwQzEUOo WoQ6SE6P2woWqYbeB3JRpF9VW612yGhpOBlYPS3bFjXKlnsjn7prv5ktAuYRfPJAOfeQ3SYdB qfPDwEYn0oTlZEu3TE2LZJqEHzTyeQBXz+C5QTrI0htPbfp9np5kM4jlLLEVHXaCDOh8fI8IQ W/EWIR1iQJzTmyi7RNztB3sK6Cxy7i7FKctbsOm+BKzyZL77h5GdAYdA2iZaItfXwQetZIx19 JU46aPgPUTL8lR6d3hC0Ud3NptyvKK5pd5nI4/xjsLvIjDCc+QdzeqlNVL6tZjLimCJXsaIoQ 4zpGnQQbVyz1Q7gEFV/Axm22E3NhhVOKZRFX6Ce/8RMqbToaVKi0SDGb5ldETbkOHIxunjoF8 PC9XNtBLhyXSbgX+kux5HCLD2xLKh4yHgKNH3kEEgqPR0YZs08PKGstkoKItVGT005jSZfwyB DA9bSYDwb8hH7BQ0vezqG2HAEJ2TJXKRb1c0Slzante9+KYJlnV2uBCPHvhVVtSxsquTlDmvr HmQTJQbt20P43DHDuUaWf1fgjMZaPQCnJ+dWH7shitjDHwmC9bk5EL3G91r8ghwTZcKv8akLC wyHBAf8A1vdiR5qH2+JzBe3a5PW6OBMz7lL95gX/Dl1FRwroKaYy6XFytyPTH3rGHd6cKQfF/ SwnfjOIRrY6N6g= Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org In tpm_del_char_device() make sure that chip->ops is still valid. This check is needed since in case of a system shutdown tpm_class_shutdown() has already been called and set chip->ops to NULL. This leads to a NULL pointer access as soon as tpm_del_char_device() tries to access chip->ops in case of TPM 2. Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization") Cc: stable@vger.kernel.org Signed-off-by: Lino Sanfilippo --- drivers/char/tpm/tpm-chip.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) base-commit: a3fa7a101dcff93791d1b1bdb3affcad1410c8c1 diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index ddaeceb7e109..ed1fb5d82caf 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -474,13 +474,19 @@ static void tpm_del_char_device(struct tpm_chip *chip) /* Make the driver uncallable. */ down_write(&chip->ops_sem); - if (chip->flags & TPM_CHIP_FLAG_TPM2) { - if (!tpm_chip_start(chip)) { - tpm2_shutdown(chip, TPM2_SU_CLEAR); - tpm_chip_stop(chip); + /* Check if chip->ops is still valid since in case of a shutdown + * tpm_class_shutdown() has already sent the TPM2_Shutdown command + * and set chip->ops to NULL. + */ + if (chip->ops) { + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + if (!tpm_chip_start(chip)) { + tpm2_shutdown(chip, TPM2_SU_CLEAR); + tpm_chip_stop(chip); + } } + chip->ops = NULL; } - chip->ops = NULL; up_write(&chip->ops_sem); }