core: tee_mmu: fix use after free bug in vm_unmap()

vm_unmap() uses r->va and r->size after it is freed and can cause the end VA address calculation to be wrong and the while loop keep going till it unmaps the rest of the regions. This bug can cause TA to crash with a translation fault since vm_unmap() unmapped text and data Signed-off-by: Khoa Hoang <[email protected]> Reviewed-by: Etienne Carriere <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
OP-TEE · May 21, 2020 · b627229 · b627229
1 parent 7fdadfd
commit b627229
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/core/arch/arm/mm/tee_mmu.c b/core/arch/arm/mm/tee_mmu.c
@@ -715,6 +715,7 @@ TEE_Result vm_unmap(struct user_mode_ctx *uctx, vaddr_t va, size_t len)
 	struct vm_region *r = NULL;
 	struct vm_region *r_next = NULL;
 	size_t end_va = 0;
+	size_t unmap_end_va = 0;
 	size_t l = 0;
 
 	assert(thread_get_tsd()->ctx == &uctx->ctx);
@@ -734,11 +735,12 @@ TEE_Result vm_unmap(struct user_mode_ctx *uctx, vaddr_t va, size_t len)
 
 	while (true) {
 		r_next = TAILQ_NEXT(r, link);
+		unmap_end_va = r->va + r->size;
 		if (mobj_is_paged(r->mobj))
 			tee_pager_rem_um_region(uctx, r->va, r->size);
 		maybe_free_pgt(uctx, r);
 		umap_remove_region(&uctx->vm_info, r);
-		if (!r_next || r->va + r->size == end_va)
+		if (!r_next || unmap_end_va == end_va)
 			break;
 		r = r_next;
 	}