Subject: Re: [PATCH v2] tpm: fix potential NULL pointer access in
 tpm_del_char_device
To:     peterhuewe@gmx.de, jarkko@kernel.org, jgg@ziepe.ca
Cc:     p.rosenberger@kunbus.com, linux-integrity@vger.kernel.org,
        linux-kernel@vger.kernel.org, stable@vger.kernel.org,
        stefanb@linux.vnet.ibm.com
References: <20211220150635.8545-1-LinoSanfilippo@gmx.de>
From:   Lino Sanfilippo <LinoSanfilippo@gmx.de>
Message-ID: <d247bcfd-8c51-c8c3-3b30-d78624f89629@gmx.de>
Date:   Tue, 21 Dec 2021 20:16:00 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <20211220150635.8545-1-LinoSanfilippo@gmx.de>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Precedence: bulk

Hi,

the patch below should also fix the issue that Stefan reported here:

https://marc.info/?l=3Dlinux-integrity&m=3D163927245509564&w=3D2


Regards,
Lino


On 20.12.21 at 16:06, Lino Sanfilippo wrote:
> Some SPI controller drivers unregister the controller in the shutdown
> handler (e.g. BCM2835). If such a controller is used with a TPM 2 slave
> chip->ops may be accessed when it is already NULL:
>
> At system shutdown the pre-shutdown handler tpm_class_shutdown() shuts d=
own
> TPM 2 and sets chip->ops to NULL. Then at SPI controller unregistration
> tpm_tis_spi_remove() is called and eventually calls tpm_del_char_device(=
)
> which tries to shut down TPM 2 again. Thereby it accesses chip->ops agai=
n:
> (tpm_del_char_device calls tpm_chip_start which calls tpm_clk_enable whi=
ch
> calls chip->ops->clk_enable).
>
> Avoid the NULL pointer access by testing if chip->ops is valid and skipp=
ing
> the TPM 2 shutdown procedure in case it is NULL.
>
> Fixes: dcbeab1946454 ("tpm: fix crash in tpm_tis deinitialization")
> Cc: stable@vger.kernel.org
> Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
> ---
>
> Changes to v2:
> - rephrased the commit message to clarify the circumstances under which
>   this bug triggers (as requested by Jarkko)
>
>
> I was able to reproduce this issue with a SLB 9670 TPM chip controlled b=
y
> a BCM2835 SPI controller.
>
> The approach to fix this issue in the BCM2835 driver was rejected after =
a
> discussion on the mailing list:
>
> https://marc.info/?l=3Dlinux-integrity&m=3D163285906725367&w=3D2
>
> The reason for the rejection was the realization, that this issue should=
 rather
> be fixed in the TPM code:
>
> https://marc.info/?l=3Dlinux-spi&m=3D163311087423271&w=3D2
>
> So this is the reworked version of a patch that is supposed to do that.
>
>
>  drivers/char/tpm/tpm-chip.c | 16 +++++++++++-----
>  1 file changed, 11 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
> index ddaeceb7e109..7960da490e72 100644
> --- a/drivers/char/tpm/tpm-chip.c
> +++ b/drivers/char/tpm/tpm-chip.c
> @@ -474,13 +474,19 @@ static void tpm_del_char_device(struct tpm_chip *c=
hip)
>
>  	/* Make the driver uncallable. */
>  	down_write(&chip->ops_sem);
> -	if (chip->flags & TPM_CHIP_FLAG_TPM2) {
> -		if (!tpm_chip_start(chip)) {
> -			tpm2_shutdown(chip, TPM2_SU_CLEAR);
> -			tpm_chip_stop(chip);
> +	/* Check if chip->ops is still valid: In case that the controller
> +	 * drivers shutdown handler unregisters the controller in its
> +	 * shutdown handler we are called twice and chip->ops to NULL.
> +	 */
> +	if (chip->ops) {
> +		if (chip->flags & TPM_CHIP_FLAG_TPM2) {
> +			if (!tpm_chip_start(chip)) {
> +				tpm2_shutdown(chip, TPM2_SU_CLEAR);
> +				tpm_chip_stop(chip);
> +			}
>  		}
> +		chip->ops =3D NULL;
>  	}
> -	chip->ops =3D NULL;
>  	up_write(&chip->ops_sem);
>  }
>
>
> base-commit: a7904a538933c525096ca2ccde1e60d0ee62c08e
>