Google Git
Sign in
android / kernel / google-modules / trusty / 0905c15183196a5ecbb3464c13b03cf48207e1ef
commit0905c15183196a5ecbb3464c13b03cf48207e1ef[log] [tgz]
authorJi Luo <ji.luo@nxp.com>Thu Apr 20 16:18:28 2023 +0800
committerBrandon Anderson <brandonand@google.com>Thu Feb 15 23:04:03 2024 +0000
tree17beda9f49b88267c7544c4f883b26cb5aabb392
parentcbf80eca7622ddad39d8b9e1c9c6b6f45229c17d [diff]
ANDROID: trusty: fix use-after-free

rework the 'trace_trusty_ipc_read_end()' to accept 'buf_id' and
'shm_cnt' instead of the 'md' which could be invalid after free.

This fixes the KFENCE dump:
	[ 4108.926665][  T254] BUG: KFENCE: use-after-free read in trace_event_raw_event_trusty_ipc_read_end+0xa8/0x11c [trusty_ipc]
	[ 4108.926665][  T254]
	[ 4108.939893][  T254] Use-after-free read at 0x00000000d5383753 (in kfence-#49):
	[ 4108.947125][  T254] trace_event_raw_event_trusty_ipc_read_end+0xa8/0x11c [trusty_ipc]
	[ 4108.955127][  T254]  tipc_read_iter+0x3c4/0x434 [trusty_ipc]
	[ 4108.960869][  T254]  do_iter_read+0x1e4/0x300
	[ 4108.965243][  T254]  do_readv+0xd4/0x190
	[ 4108.969180][  T254]  __arm64_sys_readv+0x24/0x38
	[ 4108.973810][  T254]  invoke_syscall+0x5c/0x11c
	[ 4108.978270][  T254]  el0_svc_common+0xb8/0x104
	[ 4108.982731][  T254]  do_el0_svc+0x30/0xc0
	[ 4108.986751][  T254]  el0_svc+0x30/0xac
	[ 4108.990520][  T254]  el0t_64_sync_handler+0x6c/0xbc
	[ 4108.995415][  T254]  el0t_64_sync+0x1a0/0x1a4
	[ 4108.999781][  T254]
	[ 4109.001975][  T254] kfence-#49: 0x00000000d990fc1e-0x00000000baff0d36, size=96, cache=kmalloc-128
	[ 4109.001975][  T254]
	[ 4109.013030][  T254] allocated by task 8231 on cpu 3 at 4108.225632s:
	[ 4109.019554][  T254]  __kmem_cache_alloc_node+0x238/0x294
	[ 4109.024879][  T254]  kmalloc_trace+0x54/0x180
	[ 4109.029249][  T254]  vds_alloc_msg_buf+0x6c/0x120 [trusty_ipc]
	[ 4109.035169][  T254]  dn_handle_msg+0x58/0x1bc [trusty_ipc]
	[ 4109.040736][  T254]  _rxvq_cb+0x14c/0x83c [trusty_ipc]
	[ 4109.045955][  T254]  vring_interrupt+0xa4/0xc0
	[ 4109.050412][  T254]  check_all_vqs+0x64/0x88 [trusty_virtio]
	[ 4109.056100][  T254]  process_one_work+0x244/0x50c
	[ 4109.060818][  T254]  worker_thread+0x268/0x488
	[ 4109.065276][  T254]  kthread+0x110/0x158.513421: trusty_smc: smcnr=SC_NOP
	[ 4109.069209][  T254]  ret_from_fork+0x10/0x20
	[ 4109.076349][  T254]
	[ 4109.078543][  T254] freed by task 254 on cpu 2 at 4108.917154s:
	[ 4109.084489][  T254]  tipc_read_iter+0x130/0x434 [trusty_ipc]
	[ 4109.090232][  T254]  do_iter_read+0x1e4/0x300
	[ 4109.094604][  T254]  do_readv+0xd4/0x190
	[ 4109.098538][  T254]  __arm64_sys_readv+0x24/0x38
	[ 4109.103170][  T254]  invoke_syscall+0x5c/0x11c
	[ 4109.107630][  T254]  el0_svc_common+0xb8/0x104
	[ 4109.112088][  T254]  do_el0_svc+0x30/0xc0
	[ 4109.116111][  T254]  el0_svc+0x30/0xac
	[ 4109.119873][  T254]  el0t_64_sync_handler+0x6c/0xbc
	[ 4109.124767][  T254]  el0t_64_sync+0x1a0/0x1a4
	[ 4109.129136][  T254]
	[ 4109.131328][  T254] CPU: 2 PID: 254 Comm: android.hardwar Tainted: G    B    C OE      6.1.22-13799-g07571651e990-ab127 #1

Bug: 279270023
Test: run CtsKeystoreTestCases CTS module while enabling tracing.

Change-Id: Ide61b535bb167cce8b25ff6f6670c96c0474c885
Signed-off-by: Ji Luo <ji.luo@nxp.com>
2 files changed
tree: 17beda9f49b88267c7544c4f883b26cb5aabb392
  1. Documentation/
  2. drivers/
  3. include/