user/sven/linux.git/drivers/tee/amdtee, branch v6.1.105

tee: amdtee: fix use-after-free vulnerability in amdtee_close_session

2023-10-19T21:08:57Z

commit f4384b3e54ea813868bb81a861bf5b2406e15d8f upstream. There is a potential race condition in amdtee_close_session that may cause use-after-free in amdtee_open_session. For instance, if a session has refcount == 1, and one thread tries to free this session via: kref_put(&sess->refcount, destroy_session); the reference count will get decremented, and the next step would be to call destroy_session(). However, if in another thread, amdtee_open_session() is called before destroy_session() has completed execution, alloc_session() may return 'sess' that will be freed up later in destroy_session() leading to use-after-free in amdtee_open_session. To fix this issue, treat decrement of sess->refcount and removal of 'sess' from session list in destroy_session() as a critical section, so that it is executed atomically. Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Cc: stable@vger.kernel.org Signed-off-by: Rijo Thomas Reviewed-by: Sumit Garg Signed-off-by: Jens Wiklander Signed-off-by: Greg Kroah-Hartman

tee: amdtee: Add return_origin to 'struct tee_cmd_load_ta'

2023-06-14T09:15:28Z

commit 436eeae0411acdfc54521ddea80ee76d4ae8a7ea upstream. After TEE has completed processing of TEE_CMD_ID_LOAD_TA, set proper value in 'return_origin' argument passed by open_session() call. To do so, add 'return_origin' field to the structure tee_cmd_load_ta. The Trusted OS shall update return_origin as part of TEE processing. This change to 'struct tee_cmd_load_ta' interface requires a similar update in AMD-TEE Trusted OS's TEE_CMD_ID_LOAD_TA interface. This patch has been verified on Phoenix Birman setup. On older APUs, return_origin value will be 0. Cc: stable@vger.kernel.org Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Tested-by: Sourabh Das Signed-off-by: Rijo Thomas Acked-by: Sumit Garg Signed-off-by: Jens Wiklander Signed-off-by: Greg Kroah-Hartman

tee: amdtee: fix race condition in amdtee_open_session

2023-03-30T10:49:29Z

commit f8502fba45bd30e1a6a354d9d898bc99d1a11e6d upstream. There is a potential race condition in amdtee_open_session that may lead to use-after-free. For instance, in amdtee_open_session() after sess->sess_mask is set, and before setting: sess->session_info[i] = session_info; if amdtee_close_session() closes this same session, then 'sess' data structure will be released, causing kernel panic when 'sess' is accessed within amdtee_open_session(). The solution is to set the bit sess->sess_mask as the last step in amdtee_open_session(). Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Cc: stable@vger.kernel.org Signed-off-by: Rijo Thomas Acked-by: Sumit Garg Signed-off-by: Jens Wiklander Signed-off-by: Greg Kroah-Hartman

Merge tag 'tee-shm-for-v5.18' of git://git.linaro.org:/people/jens.wiklander/linux-tee into arm/drivers

2022-02-25T16:05:11Z

TEE shared memory cleanup for v5.18 - The TEE shared memory pool based on two pools is replaced with a single somewhat more capable pool. - Replaces tee_shm_alloc() and tee_shm_register() with new functions easier to use and maintain. The TEE subsystem and the TEE drivers are updated to use the new functions instead. - The TEE based Trusted keys routines are updated to use the new simplified functions above. - The OP-TEE based rng driver is updated to use the new simplified functions above. - The TEE_SHM-flags are refactored to better match their usage * tag 'tee-shm-for-v5.18' of git://git.linaro.org:/people/jens.wiklander/linux-tee: tee: refactor TEE_SHM_* flags tee: replace tee_shm_register() KEYS: trusted: tee: use tee_shm_register_kernel_buf() tee: add tee_shm_register_{user,kernel}_buf() optee: add optee_pool_op_free_helper() tee: replace tee_shm_alloc() tee: simplify shm pool handling tee: add tee_shm_alloc_user_buf() tee: remove unused tee_shm_pool_alloc_res_mem() hwrng: optee-rng: use tee_shm_alloc_kernel_buf() optee: use driver internal tee_context for some rpc Link: https://lore.kernel.org/r/20220218184802.GA968155@jade Signed-off-by: Arnd Bergmann

tee: simplify shm pool handling

2022-02-16T06:49:41Z

Replaces the shared memory pool based on two pools with a single pool. The alloc() function pointer in struct tee_shm_pool_ops gets another parameter, align. This makes it possible to make less than page aligned allocations from the optional reserved shared memory pool while still making user space allocations page aligned. With in practice unchanged behaviour using only a single pool for bookkeeping. The allocation algorithm in the static OP-TEE shared memory pool is changed from best-fit to first-fit since only the latter supports an alignment parameter. The best-fit algorithm was previously the default choice and not a conscious one. The optee and amdtee drivers are updated as needed to work with this changed pool handling. This also removes OPTEE_SHM_NUM_PRIV_PAGES which becomes obsolete with this change as the private pages can be mixed with the payload pages. The OP-TEE driver changes minimum alignment for argument struct from 8 bytes to 512 bytes. A typical OP-TEE private shm allocation is 224 bytes (argument struct with 6 parameters, needed for open session). So with an alignment of 512 well waste a bit more than 50%. Before this we had a single page reserved for this so worst case usage compared to that would be 3 pages instead of 1 page. However, this worst case only occurs if there is a high pressure from multiple threads on secure world. All in all this should scale up and down better than fixed boundaries. Reviewed-by: Sumit Garg Signed-off-by: Jens Wiklander

tee: amdtee: Make use of the helper macro LIST_HEAD()

2022-02-14T09:57:55Z

Replace "struct list_head head = LIST_HEAD_INIT(head)" with "LIST_HEAD(head)" to simplify the code. Signed-off-by: Cai Huoqing Reviewed-by: Rijo Thomas Signed-off-by: Jens Wiklander

tee: amdtee: fix an IS_ERR() vs NULL bug

2021-11-29T08:55:49Z

The __get_free_pages() function does not return error pointers it returns NULL so fix this condition to avoid a NULL dereference. Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Signed-off-by: Dan Carpenter Acked-by: Rijo Thomas Signed-off-by: Jens Wiklander

tee: amdtee: unload TA only when its refcount becomes 0

2021-05-05T11:00:11Z

Same Trusted Application (TA) can be loaded in multiple TEE contexts. If it is a single instance TA, the TA should not get unloaded from AMD Secure Processor, while it is still in use in another TEE context. Therefore reference count TA and unload it when the count becomes zero. Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Reviewed-by: Devaraj Rangasamy Signed-off-by: Rijo Thomas Acked-by: Dan Carpenter Signed-off-by: Jens Wiklander

tee: amdtee: synchronize access to shm list

2020-11-09T07:59:00Z

Synchronize access to shm or shared memory buffer list to prevent race conditions due to concurrent updates to shared shm list by multiple threads. Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Reviewed-by: Devaraj Rangasamy Signed-off-by: Rijo Thomas Signed-off-by: Jens Wiklander

tee: amdtee: fix memory leak due to reset of global shm list

2020-11-09T07:58:54Z

The driver maintains a list of shared memory buffers along with their mapped buffer id's in a global linked list. These buffers need to be unmapped after use by the user-space client. The global shared memory list is initialized to zero entries in the function amdtee_open(). This clearing of list entries can be a source for memory leak on secure side if the global linked list previously held some mapped buffer entries allocated from another TEE context. Fix potential memory leak issue by moving global shared memory list to AMD-TEE driver context data structure. Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver") Reviewed-by: Devaraj Rangasamy Signed-off-by: Rijo Thomas Signed-off-by: Jens Wiklander