Uninitialized pointers with `__free` attribute can cause undefined
behaviour as the memory assigned(randomly) to the pointer is freed
automatically when the pointer goes out of scope
tee doesn't have any bugs related to this as of now, but
it is better to initialize and assign pointers with `__free` attr
in one statement to ensure proper scope-based cleanup
Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org>
Closes: https://lore.kernel.org/all/aPiG_F5EBQUjZqsl@stanley.mountain/
Signed-off-by: Ally Heev <allyheev(a)gmail.com>
---
drivers/tee/qcomtee/call.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c
index ac134452cc9cfd384c28d41547545f2c5748d86c..8b7b4decddd8d1811dc0a7cc46a4a4fbada45526 100644
--- a/drivers/tee/qcomtee/call.c
+++ b/drivers/tee/qcomtee/call.c
@@ -645,12 +645,13 @@ static void qcomtee_get_version(struct tee_device *teedev,
static void qcomtee_get_qtee_feature_list(struct tee_context *ctx, u32 id,
u32 *version)
{
- struct qcomtee_object_invoke_ctx *oic __free(kfree);
struct qcomtee_object *client_env, *service;
struct qcomtee_arg u[3] = { 0 };
int result;
- oic = qcomtee_object_invoke_ctx_alloc(ctx);
+ struct qcomtee_object_invoke_ctx *oic __free(kfree) =
+ qcomtee_object_invoke_ctx_alloc(ctx);
+
if (!oic)
return;
---
base-commit: c9cfc122f03711a5124b4aafab3211cf4d35a2ac
change-id: 20251105-aheev-uninitialized-free-attr-tee-0221e45ec5a2
Best regards,
--
Ally Heev <allyheev(a)gmail.com>
In tee_shm_put(), there is not only the NULL pointer dereference,
but also the illegal pointer dereference.
shutdown() --->
__optee_disable_shm_cache -->
shm = reg_pair_to_ptr(...);
tee_shm_free(shm); -->
tee_shm_put(shm); //crash: shm->ctx maybe NULL pointer or illegal pointer
Check whether the pointer is NULL and whether the pointer address is valid.
This issue occurs when rich world uses the 6.x version of the kernel and
optee secure world uses a lower version (such as version 3.2), and it is
highly likely to trigger a kernel panic when conducting hibernate tests.
Fixes: e4a718a3a47e ("tee: fix NULL pointer dereference in tee_shm_put")
Signed-off-by: yangzhao <yangzhao(a)kylinos.cn>
---
drivers/tee/tee_shm.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c
index 4a47de4bb2e5..de01d16409c1 100644
--- a/drivers/tee/tee_shm.c
+++ b/drivers/tee/tee_shm.c
@@ -722,7 +722,14 @@ void tee_shm_put(struct tee_shm *shm)
struct tee_device *teedev;
bool do_release = false;
- if (!shm || !shm->ctx || !shm->ctx->teedev)
+ /* checking pointer */
+ if (IS_ERR_OR_NULL(shm) || !virt_addr_valid(shm))
+ return;
+
+ if (IS_ERR_OR_NULL(shm->ctx) || !virt_addr_valid(shm->ctx))
+ return;
+
+ if (IS_ERR_OR_NULL(shm->ctx->teedev) || !virt_addr_valid(shm->ctx->teedev))
return;
teedev = shm->ctx->teedev;
--
2.25.1
From: Jan Kiszka <jan.kiszka(a)siemens.com>
As seen with optee_ftpm, which uses ms-tpm-20-ref [1], a TPM may write
the current time epoch to its NV storage every 4 seconds if there are
commands sent to it. The 60 seconds periodic update of the entropy pool
that the hwrng kthread does triggers this, causing about 4 writes per
requests. Makes 2 millions per year for a 24/7 device, and that is a lot
for its backing NV storage.
It is therefore better to make the user intentionally enable this,
providing a chance to read the warning.
[1] https://github.com/Microsoft/ms-tpm-20-ref
Signed-off-by: Jan Kiszka <jan.kiszka(a)siemens.com>
---
drivers/char/tpm/Kconfig | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig
index 8a8f692b6088..d64c929cacbe 100644
--- a/drivers/char/tpm/Kconfig
+++ b/drivers/char/tpm/Kconfig
@@ -45,13 +45,17 @@ config TCG_TPM2_HMAC
config HW_RANDOM_TPM
bool "TPM HW Random Number Generator support"
depends on TCG_TPM && HW_RANDOM && !(TCG_TPM=y && HW_RANDOM=m)
- default y
help
This setting exposes the TPM's Random Number Generator as a hwrng
device. This allows the kernel to collect randomness from the TPM at
boot, and provides the TPM randomines in /dev/hwrng.
- If unsure, say Y.
+ WARNING: Specifically firmware-based TPMs, possibly also hardware
+ variants, can wear-out from the frequent requests issued by the
+ Hardware Random Number Generator Core when filling the kernel's
+ entropy pool. These requests are sent once every minute by default,
+ and the TPM may write the current time to its NV storage for each of
+ them.
config TCG_TIS_CORE
tristate
--
2.51.0
