lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160419100027.GA10080@intel.com>
Date:	Tue, 19 Apr 2016 13:00:27 +0300
From:	Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
To:	Peter Huewe <peterhuewe@....de>
Cc:	linux-security-module@...r.kernel.org, stable@...r.kernel.org,
	Marcel Selhorst <tpmdd@...horst.net>,
	Jason Gunthorpe <jgunthorpe@...idianresearch.com>,
	"moderated list:TPM DEVICE DRIVER" 
	<tpmdd-devel@...ts.sourceforge.net>,
	open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] tpm_crb: fix mapping of the buffers

On Tue, Apr 19, 2016 at 12:54:18PM +0300, Jarkko Sakkinen wrote:
> On my Lenovo x250 the following situation occurs:
> 
> [18697.813871] tpm_crb MSFT0101:00: can't request region for resource
> [mem 0xacdff080-0xacdfffff]
> 
> The mapping of the control area overlaps the mapping of the command
> buffer. The control area is mapped over page, which is not right. It
> should mapped over sizeof(struct crb_control_area).
> 
> Fixing this issue unmasks another issue. Command and response buffers
> can overlap and they do interleave on this machine. According to the PTP
> specification the overlapping means that they are mapped to the same
> buffer.
> 
> The commit has been also on a Haswell NUC where things worked before
> applying this fix so that the both code paths for response buffer
> initialization are tested.
> 
> Cc: stable@...r.kernel.org
> Fixes: 1bd047be37d9 ("tpm_crb: Use devm_ioremap_resource")
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>

Forgot to add --subject-prefix="PATCH v2", sorry.

/Jarkko

> ---
>  drivers/char/tpm/tpm_crb.c | 39 ++++++++++++++++++++++++++++-----------
>  1 file changed, 28 insertions(+), 11 deletions(-)
> 
> diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
> index 733cd0e..5afe684 100644
> --- a/drivers/char/tpm/tpm_crb.c
> +++ b/drivers/char/tpm/tpm_crb.c
> @@ -259,7 +259,10 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
>  	struct list_head resources;
>  	struct resource io_res;
>  	struct device *dev = &device->dev;
> -	u64 pa;
> +	u64 cmd_pa;
> +	u32 cmd_size;
> +	u64 rsp_pa;
> +	u32 rsp_size;
>  	int ret;
>  
>  	INIT_LIST_HEAD(&resources);
> @@ -280,22 +283,36 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
>  		return PTR_ERR(priv->iobase);
>  
>  	priv->cca = crb_map_res(dev, priv, &io_res, buf->control_address,
> -				0x1000);
> +				sizeof(struct crb_control_area));
>  	if (IS_ERR(priv->cca))
>  		return PTR_ERR(priv->cca);
>  
> -	pa = ((u64) ioread32(&priv->cca->cmd_pa_high) << 32) |
> -	      (u64) ioread32(&priv->cca->cmd_pa_low);
> -	priv->cmd = crb_map_res(dev, priv, &io_res, pa,
> -				ioread32(&priv->cca->cmd_size));
> +	cmd_pa = ((u64) ioread32(&priv->cca->cmd_pa_high) << 32) |
> +		  (u64) ioread32(&priv->cca->cmd_pa_low);
> +	cmd_size = ioread32(&priv->cca->cmd_size);
> +	priv->cmd = crb_map_res(dev, priv, &io_res, cmd_pa, cmd_size);
>  	if (IS_ERR(priv->cmd))
>  		return PTR_ERR(priv->cmd);
>  
> -	memcpy_fromio(&pa, &priv->cca->rsp_pa, 8);
> -	pa = le64_to_cpu(pa);
> -	priv->rsp = crb_map_res(dev, priv, &io_res, pa,
> -				ioread32(&priv->cca->rsp_size));
> -	return PTR_ERR_OR_ZERO(priv->rsp);
> +	memcpy_fromio(&rsp_pa, &priv->cca->rsp_pa, 8);
> +	rsp_pa = le64_to_cpu(rsp_pa);
> +	rsp_size = ioread32(&priv->cca->rsp_size);
> +
> +	if (cmd_pa != rsp_pa) {
> +		priv->rsp = crb_map_res(dev, priv, &io_res, rsp_pa, rsp_size);
> +		return PTR_ERR_OR_ZERO(priv->rsp);
> +	}
> +
> +	/* According to the PTP specification, overlapping command and response
> +	 * buffer sizes must be identical.
> +	 */
> +	if (cmd_size != rsp_size) {
> +		dev_err(dev, FW_BUG "overlapping command and response buffer sizes are not identical");
> +		return -EINVAL;
> +	}
> +
> +	priv->rsp = priv->cmd;
> +	return 0;
>  }
>  
>  static int crb_acpi_add(struct acpi_device *device)
> -- 
> 2.7.4
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ