core: pager: fix NULL deref in tee_pager_pgt_save_and_release_entries()

Fixes a potential NULL dereference in tee_pager_pgt_save_and_release_entries() in case a struct user_ta_ctx doesn't have an areas pointer allocated yet. Reviewed-by: Joakim Bech <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
OP-TEE · Jun 27, 2019 · 55e6414 · 55e6414
1 parent ef305e5
commit 55e6414
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/core/arch/arm/mm/tee_pager.c b/core/arch/arm/mm/tee_pager.c
@@ -1496,8 +1496,9 @@ void tee_pager_assign_uta_tables(struct user_ta_ctx *utc)
 
 void tee_pager_pgt_save_and_release_entries(struct pgt *pgt)
 {
-	struct tee_pager_pmem *pmem;
-	struct tee_pager_area *area;
+	struct tee_pager_pmem *pmem = NULL;
+	struct tee_pager_area *area = NULL;
+	struct tee_pager_area_head *areas = NULL;
 	uint32_t exceptions = pager_lock_check_stack(SMALL_PAGE_SIZE);
 
 	if (!pgt->num_used_entries)
@@ -1510,9 +1511,12 @@ void tee_pager_pgt_save_and_release_entries(struct pgt *pgt)
 	assert(!pgt->num_used_entries);
 
 out:
-	TAILQ_FOREACH(area, to_user_ta_ctx(pgt->ctx)->areas, link) {
-		if (area->pgt == pgt)
-			area->pgt = NULL;
+	areas = to_user_ta_ctx(pgt->ctx)->areas;
+	if (areas) {
+		TAILQ_FOREACH(area, areas, link) {
+			if (area->pgt == pgt)
+				area->pgt = NULL;
+		}
 	}
 
 	pager_unlock(exceptions);