[PATCH v2] tpm: fix potential NULL pointer access in tpm_del_char_device

Lino Sanfilippo posted 1 patch 4 years, 6 months ago
drivers/char/tpm/tpm-chip.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
[PATCH v2] tpm: fix potential NULL pointer access in tpm_del_char_device
Posted by Lino Sanfilippo 4 years, 6 months ago
Some SPI controller drivers unregister the controller in the shutdown
handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave
chip->ops may be accessed when it is already NULL:

At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down
TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration
tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device()
which tries to shut down TPM 2 again. Thereby it accesses chip->ops again:
(tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which
calls chip->ops->clk_enable).

Avoid the NULL pointer access by testing if chip->ops is valid and skipping
the TPM 2 shutdown procedure in case it is NULL.

Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization")
Cc: stable@vger.kernel.org
Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
---

Changes to v2:
- rephrased the commit message to clarify the circumstances under which
  this bug triggers (as requested by Jarkko)


I was able to reproduce this issue with a SLB 9670 TPM chip controlled by 
a BCM2835 SPI controller. 

The approach to fix this issue in the BCM2835 driver was rejected after a
discussion on the mailing list:

https://marc.info/?l=linux-integrity&m=163285906725367&w=2

The reason for the rejection was the realization, that this issue should rather
be fixed in the TPM code:

https://marc.info/?l=linux-spi&m=163311087423271&w=2

So this is the reworked version of a patch that is supposed to do that.


 drivers/char/tpm/tpm-chip.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index ddaeceb7e109..7960da490e72 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -474,13 +474,19 @@ static void tpm_del_char_device(struct tpm_chip *chip)
 
 	/* Make the driver uncallable. */
 	down_write(&chip->ops_sem);
-	if (chip->flags & TPM_CHIP_FLAG_TPM2) {
-		if (!tpm_chip_start(chip)) {
-			tpm2_shutdown(chip, TPM2_SU_CLEAR);
-			tpm_chip_stop(chip);
+	/* Check if chip->ops is still valid: In case that the controller
+	 * drivers shutdown handler unregisters the controller in its
+	 * shutdown handler we are called twice and chip->ops to NULL.
+	 */
+	if (chip->ops) {
+		if (chip->flags & TPM_CHIP_FLAG_TPM2) {
+			if (!tpm_chip_start(chip)) {
+				tpm2_shutdown(chip, TPM2_SU_CLEAR);
+				tpm_chip_stop(chip);
+			}
 		}
+		chip->ops = NULL;
 	}
-	chip->ops = NULL;
 	up_write(&chip->ops_sem);
 }
 

base-commit: a7904a538933c525096ca2ccde1e60d0ee62c08e
-- 
2.34.1

Re: [PATCH v2] tpm: fix potential NULL pointer access in tpm_del_char_device
Posted by Lino Sanfilippo 4 years, 6 months ago
Hi,

the patch below should also fix the issue that Stefan reported here:

https://marc.info/?l=linux-integrity&m=163927245509564&w=2


Regards,
Lino


On 20.12.21 at 16:06, Lino Sanfilippo wrote:
> Some SPI controller drivers unregister the controller in the shutdown
> handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave
> chip->ops may be accessed when it is already NULL:
>
> At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down
> TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration
> tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device()
> which tries to shut down TPM 2 again. Thereby it accesses chip->ops again:
> (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which
> calls chip->ops->clk_enable).
>
> Avoid the NULL pointer access by testing if chip->ops is valid and skipping
> the TPM 2 shutdown procedure in case it is NULL.
>
> Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization")
> Cc: stable@vger.kernel.org
> Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
> ---
>
> Changes to v2:
> - rephrased the commit message to clarify the circumstances under which
>   this bug triggers (as requested by Jarkko)
>
>
> I was able to reproduce this issue with a SLB 9670 TPM chip controlled by
> a BCM2835 SPI controller.
>
> The approach to fix this issue in the BCM2835 driver was rejected after a
> discussion on the mailing list:
>
> https://marc.info/?l=linux-integrity&m=163285906725367&w=2
>
> The reason for the rejection was the realization, that this issue should rather
> be fixed in the TPM code:
>
> https://marc.info/?l=linux-spi&m=163311087423271&w=2
>
> So this is the reworked version of a patch that is supposed to do that.
>
>
>  drivers/char/tpm/tpm-chip.c | 16 +++++++++++-----
>  1 file changed, 11 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
> index ddaeceb7e109..7960da490e72 100644
> --- a/drivers/char/tpm/tpm-chip.c
> +++ b/drivers/char/tpm/tpm-chip.c
> @@ -474,13 +474,19 @@ static void tpm_del_char_device(struct tpm_chip *chip)
>
>  	/* Make the driver uncallable. */
>  	down_write(&chip->ops_sem);
> -	if (chip->flags & TPM_CHIP_FLAG_TPM2) {
> -		if (!tpm_chip_start(chip)) {
> -			tpm2_shutdown(chip, TPM2_SU_CLEAR);
> -			tpm_chip_stop(chip);
> +	/* Check if chip->ops is still valid: In case that the controller
> +	 * drivers shutdown handler unregisters the controller in its
> +	 * shutdown handler we are called twice and chip->ops to NULL.
> +	 */
> +	if (chip->ops) {
> +		if (chip->flags & TPM_CHIP_FLAG_TPM2) {
> +			if (!tpm_chip_start(chip)) {
> +				tpm2_shutdown(chip, TPM2_SU_CLEAR);
> +				tpm_chip_stop(chip);
> +			}
>  		}
> +		chip->ops = NULL;
>  	}
> -	chip->ops = NULL;
>  	up_write(&chip->ops_sem);
>  }
>
>
> base-commit: a7904a538933c525096ca2ccde1e60d0ee62c08e
>

Re: [PATCH v2] tpm: fix potential NULL pointer access in tpm_del_char_device
Posted by Stefan Berger 4 years, 6 months ago
On 12/20/21 10:06, Lino Sanfilippo wrote:
> Some SPI controller drivers unregister the controller in the shutdown
> handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave
> chip->ops may be accessed when it is already NULL:
>
> At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down
> TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration
> tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device()
> which tries to shut down TPM 2 again. Thereby it accesses chip->ops again:
> (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which
> calls chip->ops->clk_enable).
>
> Avoid the NULL pointer access by testing if chip->ops is valid and skipping
> the TPM 2 shutdown procedure in case it is NULL.
>
> Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization")
> Cc: stable@vger.kernel.org
> Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
> ---
>
> Changes to v2:
> - rephrased the commit message to clarify the circumstances under which
>    this bug triggers (as requested by Jarkko)
>
>
> I was able to reproduce this issue with a SLB 9670 TPM chip controlled by
> a BCM2835 SPI controller.
>
> The approach to fix this issue in the BCM2835 driver was rejected after a
> discussion on the mailing list:
>
> https://marc.info/?l=linux-integrity&m=163285906725367&w=2
>
> The reason for the rejection was the realization, that this issue should rather
> be fixed in the TPM code:
>
> https://marc.info/?l=linux-spi&m=163311087423271&w=2
>
> So this is the reworked version of a patch that is supposed to do that.
>
>
>   drivers/char/tpm/tpm-chip.c | 16 +++++++++++-----
>   1 file changed, 11 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
> index ddaeceb7e109..7960da490e72 100644
> --- a/drivers/char/tpm/tpm-chip.c
> +++ b/drivers/char/tpm/tpm-chip.c
> @@ -474,13 +474,19 @@ static void tpm_del_char_device(struct tpm_chip *chip)
>   
>   	/* Make the driver uncallable. */
>   	down_write(&chip->ops_sem);
> -	if (chip->flags & TPM_CHIP_FLAG_TPM2) {
> -		if (!tpm_chip_start(chip)) {
> -			tpm2_shutdown(chip, TPM2_SU_CLEAR);
> -			tpm_chip_stop(chip);
> +	/* Check if chip->ops is still valid: In case that the controller
> +	 * drivers shutdown handler unregisters the controller in its
> +	 * shutdown handler we are called twice and chip->ops to NULL.
> +	 */
> +	if (chip->ops) {
> +		if (chip->flags & TPM_CHIP_FLAG_TPM2) {
> +			if (!tpm_chip_start(chip)) {
> +				tpm2_shutdown(chip, TPM2_SU_CLEAR);
> +				tpm_chip_stop(chip);
> +			}
>   		}
> +		chip->ops = NULL;
>   	}
> -	chip->ops = NULL;
>   	up_write(&chip->ops_sem);
>   }
>   
>
> base-commit: a7904a538933c525096ca2ccde1e60d0ee62c08e


Fixes: 39d0099f9439 ("powerpc/pseries: Add shutdown() to vio_driver and 
vio_bus")

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

Tested-by: Stefan Berger <stefanb@linux.ibm.com>


Re: [PATCH v2] tpm: fix potential NULL pointer access in tpm_del_char_device
Posted by Lino Sanfilippo 4 years, 6 months ago
Hi Stefan,


On 22.12.21 at 05:53, Stefan Berger wrote:

>>
>>   drivers/char/tpm/tpm-chip.c | 16 +++++++++++-----
>>   1 file changed, 11 insertions(+), 5 deletions(-)
>>
>> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
>> index ddaeceb7e109..7960da490e72 100644
>> --- a/drivers/char/tpm/tpm-chip.c
>> +++ b/drivers/char/tpm/tpm-chip.c
>> @@ -474,13 +474,19 @@ static void tpm_del_char_device(struct tpm_chip *chip)
>>         /* Make the driver uncallable. */
>>       down_write(&chip->ops_sem);
>> -    if (chip->flags & TPM_CHIP_FLAG_TPM2) {
>> -        if (!tpm_chip_start(chip)) {
>> -            tpm2_shutdown(chip, TPM2_SU_CLEAR);
>> -            tpm_chip_stop(chip);
>> +    /* Check if chip->ops is still valid: In case that the controller
>> +     * drivers shutdown handler unregisters the controller in its
>> +     * shutdown handler we are called twice and chip->ops to NULL.
>> +     */
>> +    if (chip->ops) {
>> +        if (chip->flags & TPM_CHIP_FLAG_TPM2) {
>> +            if (!tpm_chip_start(chip)) {
>> +                tpm2_shutdown(chip, TPM2_SU_CLEAR);
>> +                tpm_chip_stop(chip);
>> +            }
>>           }
>> +        chip->ops = NULL;
>>       }
>> -    chip->ops = NULL;
>>       up_write(&chip->ops_sem);
>>   }
>>  
>> base-commit: a7904a538933c525096ca2ccde1e60d0ee62c08e
>
>
> Fixes: 39d0099f9439 ("powerpc/pseries: Add shutdown() to vio_driver and vio_bus")
>
> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
>
> Tested-by: Stefan Berger <stefanb@linux.ibm.com>
>
>

Thanks a lot for testing this.

Best regards,
Lino
Re: [PATCH v2] tpm: fix potential NULL pointer access in tpm_del_char_device
Posted by Jarkko Sakkinen 4 years, 6 months ago
On Mon, Dec 20, 2021 at 04:06:35PM +0100, Lino Sanfilippo wrote:
> Some SPI controller drivers unregister the controller in the shutdown
> handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave
> chip->ops may be accessed when it is already NULL:
> 
> At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down
> TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration
> tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device()
> which tries to shut down TPM 2 again. Thereby it accesses chip->ops again:
> (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which
> calls chip->ops->clk_enable).
> 
> Avoid the NULL pointer access by testing if chip->ops is valid and skipping
> the TPM 2 shutdown procedure in case it is NULL.
> 
> Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization")
> Cc: stable@vger.kernel.org
> Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>

Thank you.

Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>

BR,
Jarkko
Re: [PATCH v2] tpm: fix potential NULL pointer access in tpm_del_char_device
Posted by Lino Sanfilippo 4 years, 6 months ago
Hi,

On 29.12.21 at 01:13, Jarkko Sakkinen wrote:
> On Mon, Dec 20, 2021 at 04:06:35PM +0100, Lino Sanfilippo wrote:
>> Some SPI controller drivers unregister the controller in the shutdown
>> handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave
>> chip->ops may be accessed when it is already NULL:
>>
>> At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts down
>> TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration
>> tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device()
>> which tries to shut down TPM 2 again. Thereby it accesses chip->ops again:
>> (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable which
>> calls chip->ops->clk_enable).
>>
>> Avoid the NULL pointer access by testing if chip->ops is valid and skipping
>> the TPM 2 shutdown procedure in case it is NULL.
>>
>> Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
>
> Thank you.
>
> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
>
> BR,
> Jarkko
>

Thanks a lot for the review. Please note that the latest version is v3 which
contains one more Fixes tag and also a tag for the review by Stefan. I also
adjusted the source code comment in that version which I somehow messed up in v2.

Regards,
Lino