Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp3011242imm;
        Sun, 1 Jul 2018 10:15:21 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpc5SNhB585h+oHFKYpi1kmIwlf3ZJ/zJViZovK8BLK5xHOna3hdYV4Mi5BOB9OukPpv3XeU
X-Received: by 2002:a62:3687:: with SMTP id d129-v6mr22236410pfa.137.1530465321426;
        Sun, 01 Jul 2018 10:15:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1530465321; cv=none;
        d=google.com; s=arc-20160816;
        b=YdljwNQLNxtETD2hky3am6IlUe1IkaLRMAHoKzfFs3d8zlfcUG+jWFnFfjLQqi7irH
         T64aLNhHzDzi+ymtBbxkvLFmnV3U4UwWfAuQAZd8EDifWK+USEWjj+JpEIsLvN+0+1oH
         bMtzAAlP0fSsY+9BZbMRnxQ2kszSJOTi8RdVgWSxJVCy2q5V7p7ZD8DYvUBsBIU4DhIE
         q03LzB9id4tjscIxk4L6xAoeo0suebLdiBy49ijA+TVoieYYYFf2++WUhvYA3vwXgcB6
         LDruYZNyJZMavLaT7cAsJbqPK529O95qmTb8yudSC9i7uype3kMQkp25wj3PLOisc8SO
         51UQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=+Kmh3hyq42obzNFIOEkAhFT7sbuG/n8upfR1s92rWug=;
        b=lYXOvSJDbHwk2tJrlWpAtTZmI38PIfbJ7LNnVG+CHGqHh8TMSLKvQZ8UMj45ajjtjz
         eLJoavZUWriynaHK6gCaHZWEDU4c4juq5W5UN+74BGt4iCqlvvRd3IpAfET84tGhz2mp
         Kc1/uwywsVKqnJwo/pe4D8WOXSROdgmhA6v+QxT3uWTgw6cvIKw4KACwtzds8NAqJI5H
         QW2kZWmz2fmsDRzWfb/ppCuVQKEWZrU8bHyogKp8SLhVZxPFshcXHFaDDDt58JyC9tWR
         2nQrn8Y5AcfMj5crEewvH1E/Xnki0bav8W9dqibtMvTk9L/3oHG+yUemfDsn9Eccuiqo
         WIiA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i62-v6si13715168pfc.255.2018.07.01.10.15.07;
        Sun, 01 Jul 2018 10:15:21 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1030276AbeGARNj (ORCPT <rfc822;deadfox.tw@gmail.com>
        + 99 others); Sun, 1 Jul 2018 13:13:39 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:37134 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1031787AbeGAQkN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 1 Jul 2018 12:40:13 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id C272CAE0;
        Sun,  1 Jul 2018 16:40:12 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Tadeusz Struk <tadeusz.struk@intel.com>,
        Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Subject: [PATCH 4.17 081/220] tpm: fix use after free in tpm2_load_context()
Date:   Sun,  1 Jul 2018 18:21:45 +0200
Message-Id: <20180701160911.819602711@linuxfoundation.org>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180701160908.272447118@linuxfoundation.org>
References: <20180701160908.272447118@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tadeusz Struk <tadeusz.struk@intel.com>

commit 8c81c24758ffbf17cf06c6835d361ffa57be2f0e upstream.

If load context command returns with TPM2_RC_HANDLE or TPM2_RC_REFERENCE_H0
then we have use after free in line 114 and double free in 117.

Fixes: 4d57856a21ed2 ("tpm2: add session handle context saving and restoring to the space code")
Cc: stable@vger.kernel.org
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off--by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm2-space.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/char/tpm/tpm2-space.c
+++ b/drivers/char/tpm/tpm2-space.c
@@ -102,8 +102,9 @@ static int tpm2_load_context(struct tpm_
 		 * TPM_RC_REFERENCE_H0 means the session has been
 		 * flushed outside the space
 		 */
-		rc = -ENOENT;
+		*handle = 0;
 		tpm_buf_destroy(&tbuf);
+		return -ENOENT;
 	} else if (rc > 0) {
 		dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n",
 			 __func__, rc);