lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 19 Jan 2017 12:44:59 +0200
From:   Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
To:     Stefan Berger <stefanb@...ux.vnet.ibm.com>
Cc:     tpmdd-devel@...ts.sourceforge.net,
        linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v6] tpm: Check size of response before accessing data

On Wed, Jan 18, 2017 at 08:53:19AM -0500, Stefan Berger wrote:
> On 01/18/2017 08:36 AM, Jarkko Sakkinen wrote:
> > On Tue, Jan 17, 2017 at 05:27:47PM -0500, Stefan Berger wrote:
> > > On 01/17/2017 09:49 AM, Jarkko Sakkinen wrote:
> > > > On Mon, Jan 16, 2017 at 04:41:11PM -0500, Stefan Berger wrote:
> > > > 
> > > > > + * @min_rx_length: minimum expected length of response
> > > > Please, rename as min_rsp_body_len and change the description
> > > > accordingly.
> > > > 
> > > > >     * @flags: tpm transmit flags - bitmap
> > > > >     * @desc: command description used in the error message
> > > > >     *
> > > > > @@ -434,25 +435,34 @@ ssize_t tpm_transmit(struct tpm_chip *chip, const u8 *buf, size_t bufsiz,
> > > > >     *     A positive number for a TPM error.
> > > > >     */
> > > > >    ssize_t tpm_transmit_cmd(struct tpm_chip *chip, const void *cmd,
> > > > > -			 int len, unsigned int flags, const char *desc)
> > > > > +			 size_t cmd_length, size_t min_rx_length,
> > > > > +			 unsigned int flags, const char *desc)
> > > > >    {
> > > > >    	const struct tpm_output_header *header;
> > > > >    	int err;
> > > > > +	ssize_t len;
> > > > > -	len = tpm_transmit(chip, (const u8 *)cmd, len, flags);
> > > > > +	len = tpm_transmit(chip, (const u8 *)cmd, cmd_length, flags);
> > > > >    	if (len <  0)
> > > > >    		return len;
> > > > >    	else if (len < TPM_HEADER_SIZE)
> > > > >    		return -EFAULT;
> > > > >    	header = cmd;
> > > > > +	if (len < be32_to_cpu(header->length))
> > > > > +		return -EFAULT;
> > > > >    	err = be32_to_cpu(header->return_code);
> > > > >    	if (err != 0 && desc)
> > > > >    		dev_err(&chip->dev, "A TPM error (%d) occurred %s\n", err,
> > > > >    			desc);
> > > > > +	if (err)
> > > > > +		return err;
> > > > > -	return err;
> > > > > +	if (be32_to_cpu(header->length) < min_rx_length)
> > > > > +		return -EFAULT;
> > > > > +
> > > > > +	return 0;
> > > > >    }
> > > > >    #define TPM_DIGEST_SIZE 20
> > > > > @@ -468,7 +478,7 @@ static const struct tpm_input_header tpm_getcap_header = {
> > > > >    };
> > > > >    ssize_t tpm_getcap(struct tpm_chip *chip, u32 subcap_id, cap_t *cap,
> > > > > -		   const char *desc)
> > > > > +		   const char *desc, size_t min_cap_length)
> > > > tpm_getcap update should be its own commit.
> > > tpm_getcap needs to pass something as min_rsp_body_length to
> > > tpm_transmit_cmd. What would it pass?
> > I do not understand the problem. You are already
> > 
> >    TPM_HEADER_SIZE + min_cap_length
> 
> When we make this two patches (commits), what would tpm_getcap pass to
> tpm_transmit_cmd in the place of the min_rsp_body_length parameter? I don't
> think it makes sense to split up this patch.

Aaah. Sorry I didn't follow. You are correct. Lets keep it one patch.

/Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ