lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20170725150443.7cf8fc91@kitsune.suse.cz>
Date:   Tue, 25 Jul 2017 15:04:43 +0200
From:   Michal Suchánek <msuchanek@...e.de>
To:     Christophe Ricard <christophe.ricard@...il.com>,
        linux-kernel@...r.kernel.org, tpmdd-devel@...ts.sourceforge.net,
        Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
        apronin@...omium.org
Subject: tpm: read burstcount from TPM_STS in one 32-bit transaction

Hello,

in commit 9754d45e9970 ("tpm: read burstcount from TPM_STS in one
32-bit transaction") you change reading of two 8-bit values to one
32bit read. This is obviously wrong wrt endianess unless the
underlying tpm_tis_read32 does endian conversion. 

Looking at the implementation 
static inline int tpm_tis_read32(struct tpm_tis_data *data, u32 addr,
                                 u32 *result)
{
        return data->phy_ops->read32(data, addr, result);
}

it calls read32 which has two implementations:

static const struct tpm_tis_phy_ops tpm_tcg = {
	.read32 = tpm_tcg_read32,

static int tpm_tcg_read32(struct tpm_tis_data *data, u32 addr, u32
*result) {
        struct tpm_tis_tcg_phy *phy = to_tpm_tis_tcg_phy(data);

        *result = ioread32(phy->iobase + addr);
       return 0;
}

static const struct tpm_tis_phy_ops tpm_spi_phy_ops = {
	.read32 = tpm_tis_spi_read32,

static int tpm_tis_spi_read32(struct tpm_tis_data *data, u32 addr, u32
*result) {
        int rc;

        rc = data->phy_ops->read_bytes(data, addr, sizeof(u32), (u8
        *)result); if (!rc)
                *result = le32_to_cpu(*result);
        return rc;
}

meaning that unless you are on LE where le32_to_cpu is a noop these
functions do completely different thing. So presumably this is
completely broken on BE. 

Presumably only the SPI variant can be actually used with TPM devices
bolted on after the fact so it is more likely correct for obscure
hardware. Conseqently tpm_tcg_read32 should use
le32_to_cpu(ioread32(phy->iobase + addr)) in case somebody manages to
map a TPM into io-space on a BE machine.

Thanks

Michal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ