core: se: fix potential use after free

The freed `proxy` will be used again on the incremental part of the for loop, it leaves potential risk of UAF crashing, replace `TAILQ_FOREACH()` with `TAILQ_FOREACH_SAFE()` to avoid second use of freed memory. Fixes: https://github.com/OP-TEE/optee_os/issues/1965 Signed-off-by: Alex CHEN <viennadd@gmail.com> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: add 'se:' to subject, don't capitalize "use", capitalize 'Fixes:'] Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
author: Alex CHEN <viennadd@gmail.com> 2017-11-23 17:14:40 +0800
committer: Jerome Forissier <jerome.forissier@linaro.org> 2017-11-23 17:11:14 +0100
commit: de656760f44843db86786102b04428e2b260b251 (patch)
tree: 7e3c5250f6532e8d39090681466ca1f527899fde /core/tee
parent: 5da57aeb8bfb255ae8142878f9daaecc9777a3af (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/core/tee/se/manager.c b/core/tee/se/manager.c
index 30b35f61..b88701c8 100644
--- a/core/tee/se/manager.c
+++ b/core/tee/se/manager.c
@@ -75,10 +75,10 @@ TEE_Result tee_se_manager_register_reader(struct tee_se_reader *r)
 TEE_Result tee_se_manager_unregister_reader(struct tee_se_reader *r)
 {
 	struct tee_se_manager_ctx *ctx = &se_manager_ctx;
-	struct tee_se_reader_proxy *proxy;
+	struct tee_se_reader_proxy *proxy, *next_proxy;
 
 	mutex_lock(&ctx->mutex);
-	TAILQ_FOREACH(proxy, &ctx->reader_proxies, link)
+	TAILQ_FOREACH_SAFE(proxy, &ctx->reader_proxies, link, next_proxy)
 	{
 		if (proxy->reader == r)
 			TAILQ_REMOVE(&ctx->reader_proxies, proxy, link);
author	Alex CHEN <viennadd@gmail.com>	2017-11-23 17:14:40 +0800
committer	Jerome Forissier <jerome.forissier@linaro.org>	2017-11-23 17:11:14 +0100
commit	de656760f44843db86786102b04428e2b260b251 (patch)
tree	7e3c5250f6532e8d39090681466ca1f527899fde /core/tee
parent	5da57aeb8bfb255ae8142878f9daaecc9777a3af (diff)