[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20180910204219.GG16557@thunk.org>
Date: Mon, 10 Sep 2018 16:42:19 -0400
From: "Theodore Y. Ts'o" <tytso@....edu>
To: Ard Biesheuvel <ard.biesheuvel@...aro.org>
Cc: Meelis Roos <mroos@...ux.ee>,
Linux Kernel list <linux-kernel@...r.kernel.org>,
"open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@...r.kernel.org>
Subject: Re: rng_dev_read: Kernel memory exposure attempt detected from SLUB
object 'kmalloc-64'
On Mon, Sep 10, 2018 at 10:02:38PM +0200, Ard Biesheuvel wrote:
> >> [146535.257274] tpm tpm0: A TPM error (379) occurred attempting get random
> >> [146535.257304] usercopy: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64' (offset 0, size 379)!
>
> The TPM return code '379' is returned from rng_get_data(), and
> interpreted as a byte count rather than an error code.
So there are two bugs here. Once is in the TPM hw_random driver; it
shouldn't be returning the TPM error code. The second is that
rng_dev_read() should be more suspicious and validate the number of
bytes returned from the low-level hw_random driver for sanity.
- Ted
Powered by blists - more mailing lists