lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20180910204219.GG16557@thunk.org>
Date:   Mon, 10 Sep 2018 16:42:19 -0400
From:   "Theodore Y. Ts'o" <tytso@....edu>
To:     Ard Biesheuvel <ard.biesheuvel@...aro.org>
Cc:     Meelis Roos <mroos@...ux.ee>,
        Linux Kernel list <linux-kernel@...r.kernel.org>,
        "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" 
        <linux-crypto@...r.kernel.org>
Subject: Re: rng_dev_read: Kernel memory exposure attempt detected from SLUB
 object 'kmalloc-64'

On Mon, Sep 10, 2018 at 10:02:38PM +0200, Ard Biesheuvel wrote:
> >> [146535.257274] tpm tpm0: A TPM error (379) occurred attempting get random
> >> [146535.257304] usercopy: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64' (offset 0, size 379)!
> 
> The TPM return code '379' is returned from rng_get_data(), and
> interpreted as a byte count rather than an error code.

So there are two bugs here.  Once is in the TPM hw_random driver; it
shouldn't be returning the TPM error code.  The second is that
rng_dev_read() should be more suspicious and validate the number of
bytes returned from the low-level hw_random driver for sanity.

      	       	    		  	    - Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ