lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5374.1200117368@turing-police.cc.vt.edu>
Date:	Sat, 12 Jan 2008 00:56:08 -0500
From:	Valdis.Kletnieks@...edu
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	linux-kernel@...r.kernel.org, tpmdd-devel@...ts.sourceforge.net
Subject: 2.6.24-rc6-mm1 - drivers/char/tpm/tpm_bios.c oddness?

(Reposting, nobody from lkml or tpmdd-devel chirped on the Dec 27 post)

On Sat, 22 Dec 2007 23:30:56 PST, Andrew Morton said:
> ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.24-rc6/2.6.24-rc6-mm1/

Looks like an uninitialized variable dereference for SEPARATOR events:

# mount -t securityfs none /sys/kernel/security/
# ls /sys/kernel/security/
tpm0
# ls -l /sys/kernel/security/tpm0/
total 0
0 -r--r----- 1 root root 0 2007-12-26 23:28 ascii_bios_measurements
0 -r--r----- 1 root root 0 2007-12-26 23:28 binary_bios_measurements
# cat /sys/kernel/security/tpm0/ascii_bios_measurements 
 0 0000000000000000000000000000000000000000 07 [S-CRTM Contents]
 0 0000000000000000000000000000000000000000 07 [S-CRTM Contents]
 0 0000000000000000000000000000000000000000 07 [S-CRTM Contents]
 0 0000000000000000000000000000000000000000 07 [S-CRTM Contents]
 4 c1e25c3f6b0dc78d57296aa2870ca6f782ccf80f 05 [Calling INT 19h]
 0 85e53271e14006f0265921d02d4d736cdc580b0b 04 [ÿ]
 1 85e53271e14006f0265921d02d4d736cdc580b0b 04 [ÿ]
 2 85e53271e14006f0265921d02d4d736cdc580b0b 04 [ÿ]
 3 85e53271e14006f0265921d02d4d736cdc580b0b 04 [ÿ]
 4 85e53271e14006f0265921d02d4d736cdc580b0b 04 [ÿ]
 5 85e53271e14006f0265921d02d4d736cdc580b0b 04 [ÿ]
 6 85e53271e14006f0265921d02d4d736cdc580b0b 04 [ÿ]
 7 85e53271e14006f0265921d02d4d736cdc580b0b 04 [ÿ]
 4 38f30a0a967fcf2bfee1e3b2971de540115048c8 05 [Returned INT 19h]
 4 f9d3a33e4ba6109fb60e8df6ec0f10330733c8b2 0c [Compact Hash]
 5 9bd5c812613f67ce1c75d0ea48b9933a547683cb 0c [Compact Hash]

Looks like the problem is likely in get_event_name:

        case NONHOST_INFO:
                name = tcpa_event_type_strings[event->event_type];
                n_len = strlen(name);
                break;
        case SEPARATOR:
        case ACTION:
                if (MAX_TEXT_EVENT > event->event_size) {
                        name = event_entry;
                        n_len = event->event_size;
                }
                break;

Should there be a 'break;' after the SEPARATOR line?  Given the name, it
probably doesn't have a name/length pair attached to an event, right?


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ