diff mbox

[tpmdd-devel,v5,4/5] Initialize TPM and get durations and timeouts

Message ID 20160212231912.GA7034@obsidianresearch.com
State New
Headers show

Commit Message

Jason Gunthorpe Feb. 12, 2016, 11:19 p.m. UTC 
On Fri, Feb 12, 2016 at 05:47:11PM -0500, Stefan Berger wrote:

>    Also I am zeroing tpm_chip and vtpm_dev structures before the free.
>    Nothing bad happens in any combination of device opening / closing
>    tests I did.

That won't help detect use after free.

You won't be able to find this with open/close testing, a RPC has to
be done on /dev/tpmX at the right time, and even if there is some
tricky reason why cdev works, kapi doesn't have any protection.

Try this, lets make the user-after-free into a
null-pointer-deref. Much easier to spot.


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
diff mbox

Patch

--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -305,6 +305,8 @@  void tpm_chip_unregister(struct tpm_chip *chip)
 		sysfs_remove_link(&chip->pdev->kobj, "ppi");
 
 	tpm1_chip_unregister(chip);
+	chip->priv = NULL;
+	chip->ops = NULL;
 	tpm_dev_del_device(chip);
 }
 EXPORT_SYMBOL_GPL(tpm_chip_unregister);