lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <33bb28b4-6dd5-8455-de44-12b2980006e1@linux.vnet.ibm.com>
Date:   Wed, 18 Jan 2017 08:53:19 -0500
From:   Stefan Berger <stefanb@...ux.vnet.ibm.com>
To:     Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
Cc:     tpmdd-devel@...ts.sourceforge.net,
        linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v6] tpm: Check size of response before accessing data

On 01/18/2017 08:36 AM, Jarkko Sakkinen wrote:
> On Tue, Jan 17, 2017 at 05:27:47PM -0500, Stefan Berger wrote:
>> On 01/17/2017 09:49 AM, Jarkko Sakkinen wrote:
>>> On Mon, Jan 16, 2017 at 04:41:11PM -0500, Stefan Berger wrote:
>>>
>>>> + * @min_rx_length: minimum expected length of response
>>> Please, rename as min_rsp_body_len and change the description
>>> accordingly.
>>>
>>>>     * @flags: tpm transmit flags - bitmap
>>>>     * @desc: command description used in the error message
>>>>     *
>>>> @@ -434,25 +435,34 @@ ssize_t tpm_transmit(struct tpm_chip *chip, const u8 *buf, size_t bufsiz,
>>>>     *     A positive number for a TPM error.
>>>>     */
>>>>    ssize_t tpm_transmit_cmd(struct tpm_chip *chip, const void *cmd,
>>>> -			 int len, unsigned int flags, const char *desc)
>>>> +			 size_t cmd_length, size_t min_rx_length,
>>>> +			 unsigned int flags, const char *desc)
>>>>    {
>>>>    	const struct tpm_output_header *header;
>>>>    	int err;
>>>> +	ssize_t len;
>>>> -	len = tpm_transmit(chip, (const u8 *)cmd, len, flags);
>>>> +	len = tpm_transmit(chip, (const u8 *)cmd, cmd_length, flags);
>>>>    	if (len <  0)
>>>>    		return len;
>>>>    	else if (len < TPM_HEADER_SIZE)
>>>>    		return -EFAULT;
>>>>    	header = cmd;
>>>> +	if (len < be32_to_cpu(header->length))
>>>> +		return -EFAULT;
>>>>    	err = be32_to_cpu(header->return_code);
>>>>    	if (err != 0 && desc)
>>>>    		dev_err(&chip->dev, "A TPM error (%d) occurred %s\n", err,
>>>>    			desc);
>>>> +	if (err)
>>>> +		return err;
>>>> -	return err;
>>>> +	if (be32_to_cpu(header->length) < min_rx_length)
>>>> +		return -EFAULT;
>>>> +
>>>> +	return 0;
>>>>    }
>>>>    #define TPM_DIGEST_SIZE 20
>>>> @@ -468,7 +478,7 @@ static const struct tpm_input_header tpm_getcap_header = {
>>>>    };
>>>>    ssize_t tpm_getcap(struct tpm_chip *chip, u32 subcap_id, cap_t *cap,
>>>> -		   const char *desc)
>>>> +		   const char *desc, size_t min_cap_length)
>>> tpm_getcap update should be its own commit.
>> tpm_getcap needs to pass something as min_rsp_body_length to
>> tpm_transmit_cmd. What would it pass?
> I do not understand the problem. You are already
>
>    TPM_HEADER_SIZE + min_cap_length

When we make this two patches (commits), what would tpm_getcap pass to 
tpm_transmit_cmd in the place of the min_rsp_body_length parameter? I 
don't think it makes sense to split up this patch.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ