-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential Use After Free in tee_se_manager_unregister_reader() #1965
Comments
Thanks, for reporting. Using Would you mind supplying a pull request? Thanks, |
@jenswi-linaro Sure I can do that, one more question though.. the implementation of #define TAILQ_FOREACH_SAFE(var, head, field, next) \
for ((var) = ((head)->tqh_first); \
(var) != NULL && ((next) = TAILQ_NEXT(var, field), 1); \
(var) = (next)) if the race condition occurs, the if proxy is freed in the loop body, the use of proxy variable in part 2 and part 3 are potential issues (memory block might be allocated by other threads and the content might not be the same) : for (part 1; part 2; part 3) I am thinking about an extra list to store the proxies will be freed in the future, and free those proxies after the Thank you, |
Moving the elements to a different list first before freeing doesn't make any difference here. |
@jenswi-linaro I thought that twice, indeed the execution sequence is "part 1" -> "part 2" -> loop body -> "part 3", I must got that wrong... I will supply a pull request in later today to replace Thanks, |
Signed-off-by: Alex CHEN <viennadd@gmail.com>
Signed-off-by: viennadd <viennadd@gmail.com>
Signed-off-by: Alex CHEN <viennadd@gmail.com>
…or loop, it leaves potential risk of UAF crashing, replace `TAILQ_FOREACH()` with `TAILQ_FOREACH_SAFE()` to avoid second use of freed memory. fixes: OP-TEE#1965 Signed-off-by: Alex CHEN <viennadd@gmail.com>
…or loop, it leaves potential risk of UAF crashing, replace `TAILQ_FOREACH()` with `TAILQ_FOREACH_SAFE()` to avoid second use of freed memory. fixes: OP-TEE#1965 Signed-off-by: Alex CHEN <viennadd@gmail.com>
The freed `proxy` will be used again on the incremental part of the for loop, it leaves potential risk of UAF crashing, replace `TAILQ_FOREACH()` with `TAILQ_FOREACH_SAFE()` to avoid second use of freed memory. fixes: OP-TEE#1965 Signed-off-by: Alex CHEN <viennadd@gmail.com>
The freed `proxy` will be used again on the incremental part of the for loop, it leaves potential risk of UAF crashing, replace `TAILQ_FOREACH()` with `TAILQ_FOREACH_SAFE()` to avoid second use of freed memory. fixes: OP-TEE#1965 Signed-off-by: Alex CHEN <viennadd@gmail.com> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
The freed `proxy` will be used again on the incremental part of the for loop, it leaves potential risk of UAF crashing, replace `TAILQ_FOREACH()` with `TAILQ_FOREACH_SAFE()` to avoid second use of freed memory. Fixes: OP-TEE/optee_os#1965 Signed-off-by: Alex CHEN <viennadd@gmail.com> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: add 'se:' to subject, don't capitalize "use", capitalize 'Fixes:'] Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
The freed `proxy` will be used again on the incremental part of the for loop, it leaves potential risk of UAF crashing, replace `TAILQ_FOREACH()` with `TAILQ_FOREACH_SAFE()` to avoid second use of freed memory. Fixes: OP-TEE/optee_os#1965 Signed-off-by: Alex CHEN <viennadd@gmail.com> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: add 'se:' to subject, don't capitalize "use", capitalize 'Fixes:'] Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Hi all,
Our code scanner Pinpoint has reported a potential use after free in the following
for
loop, the freedproxy
still used in the for loop(var) = ((var)->field.tqe_next))
,I can see there is a critical section locked by
ctx->mutex
, could there are other threads that are not using this mutex object but acquiring memory from process heap in the same time (after free, but before(var) = ((var)->field.tqe_next))
)? the content pointed byproxy
might be overwritten by other threads then.optee_os/core/tee/se/manager.c
Lines 75 to 91 in 24bb751
Regards,
Alex, Sourcebrella Inc.
The text was updated successfully, but these errors were encountered: