diff options
author | Alex CHEN <viennadd@gmail.com> | 2017-11-23 17:14:40 +0800 |
---|---|---|
committer | Jerome Forissier <jerome.forissier@linaro.org> | 2017-11-23 17:11:14 +0100 |
commit | de656760f44843db86786102b04428e2b260b251 (patch) | |
tree | 7e3c5250f6532e8d39090681466ca1f527899fde /core/tee | |
parent | 5da57aeb8bfb255ae8142878f9daaecc9777a3af (diff) |
core: se: fix potential use after free
The freed `proxy` will be used again on the incremental part of the for
loop, it leaves potential risk of UAF crashing, replace `TAILQ_FOREACH()`
with `TAILQ_FOREACH_SAFE()` to avoid second use of freed memory.
Fixes: https://github.com/OP-TEE/optee_os/issues/1965
Signed-off-by: Alex CHEN <viennadd@gmail.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
[jf: add 'se:' to subject, don't capitalize "use", capitalize 'Fixes:']
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Diffstat (limited to 'core/tee')
-rw-r--r-- | core/tee/se/manager.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/core/tee/se/manager.c b/core/tee/se/manager.c index 30b35f61..b88701c8 100644 --- a/core/tee/se/manager.c +++ b/core/tee/se/manager.c @@ -75,10 +75,10 @@ TEE_Result tee_se_manager_register_reader(struct tee_se_reader *r) TEE_Result tee_se_manager_unregister_reader(struct tee_se_reader *r) { struct tee_se_manager_ctx *ctx = &se_manager_ctx; - struct tee_se_reader_proxy *proxy; + struct tee_se_reader_proxy *proxy, *next_proxy; mutex_lock(&ctx->mutex); - TAILQ_FOREACH(proxy, &ctx->reader_proxies, link) + TAILQ_FOREACH_SAFE(proxy, &ctx->reader_proxies, link, next_proxy) { if (proxy->reader == r) TAILQ_REMOVE(&ctx->reader_proxies, proxy, link); |