Skip to content

Commit 56ae14d

Browse files
shreeya-patel98shreeya-patel98
committed
tee: amdtee: fix race condition in amdtee_open_session
jira VULN-66921 cve CVE-2023-53047 commit-author Rijo Thomas <Rijo-john.Thomas@amd.com> commit f8502fb There is a potential race condition in amdtee_open_session that may lead to use-after-free. For instance, in amdtee_open_session() after sess->sess_mask is set, and before setting: sess->session_info[i] = session_info; if amdtee_close_session() closes this same session, then 'sess' data structure will be released, causing kernel panic when 'sess' is accessed within amdtee_open_session(). The solution is to set the bit sess->sess_mask as the last step in amdtee_open_session(). Fixes: 757cc3e ("tee: add AMD-TEE driver") Cc: stable@vger.kernel.org Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com> Acked-by: Sumit Garg <sumit.garg@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> (cherry picked from commit f8502fb) Signed-off-by: Shreeya Patel <spatel@ciq.com>
1 parent 49b523b commit 56ae14d

File tree

1 file changed

+14
-15
lines changed

1 file changed

+14
-15
lines changed

drivers/tee/amdtee/core.c

Lines changed: 14 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -268,35 +268,34 @@ int amdtee_open_session(struct tee_context *ctx,
268268
goto out;
269269
}
270270

271+
/* Open session with loaded TA */
272+
handle_open_session(arg, &session_info, param);
273+
if (arg->ret != TEEC_SUCCESS) {
274+
pr_err("open_session failed %d\n", arg->ret);
275+
handle_unload_ta(ta_handle);
276+
kref_put(&sess->refcount, destroy_session);
277+
goto out;
278+
}
279+
271280
/* Find an empty session index for the given TA */
272281
spin_lock(&sess->lock);
273282
i = find_first_zero_bit(sess->sess_mask, TEE_NUM_SESSIONS);
274-
if (i < TEE_NUM_SESSIONS)
283+
if (i < TEE_NUM_SESSIONS) {
284+
sess->session_info[i] = session_info;
285+
set_session_id(ta_handle, i, &arg->session);
275286
set_bit(i, sess->sess_mask);
287+
}
276288
spin_unlock(&sess->lock);
277289

278290
if (i >= TEE_NUM_SESSIONS) {
279291
pr_err("reached maximum session count %d\n", TEE_NUM_SESSIONS);
292+
handle_close_session(ta_handle, session_info);
280293
handle_unload_ta(ta_handle);
281294
kref_put(&sess->refcount, destroy_session);
282295
rc = -ENOMEM;
283296
goto out;
284297
}
285298

286-
/* Open session with loaded TA */
287-
handle_open_session(arg, &session_info, param);
288-
if (arg->ret != TEEC_SUCCESS) {
289-
pr_err("open_session failed %d\n", arg->ret);
290-
spin_lock(&sess->lock);
291-
clear_bit(i, sess->sess_mask);
292-
spin_unlock(&sess->lock);
293-
handle_unload_ta(ta_handle);
294-
kref_put(&sess->refcount, destroy_session);
295-
goto out;
296-
}
297-
298-
sess->session_info[i] = session_info;
299-
set_session_id(ta_handle, i, &arg->session);
300299
out:
301300
free_pages((u64)ta, get_order(ta_size));
302301
return rc;

0 commit comments

Comments
 (0)