On Fri, Feb 12, 2016 at 05:47:11PM -0500, Stefan Berger wrote:
> Also I am zeroing tpm_chip and vtpm_dev structures before the free.
> Nothing bad happens in any combination of device opening / closing
> tests I did.
That won't help detect use after free.
You won't be able to find this with open/close testing, a RPC has to
be done on /dev/tpmX at the right time, and even if there is some
tricky reason why cdev works, kapi doesn't have any protection.
Try this, lets make the user-after-free into a
null-pointer-deref. Much easier to spot.
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -305,6 +305,8 @@ void tpm_chip_unregister(struct tpm_chip *chip)
sysfs_remove_link(&chip->pdev->kobj, "ppi");
tpm1_chip_unregister(chip);
+ chip->priv = NULL;
+ chip->ops = NULL;
tpm_dev_del_device(chip);
}
EXPORT_SYMBOL_GPL(tpm_chip_unregister);
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
tpmdd-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
