lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7adca046-ae80-7453-9fee-a802b46ceb86@huawei.com>
Date:   Wed, 31 Oct 2018 09:16:53 +0100
From:   Roberto Sassu <roberto.sassu@...wei.com>
To:     Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
CC:     <zohar@...ux.ibm.com>, <linux-integrity@...r.kernel.org>,
        <linux-security-module@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>, <silviu.vlasceanu@...wei.com>
Subject: Re: [PATCH v3 5/5] tpm: ensure that output of PCR read contains the
 correct digest size

On 10/30/2018 8:52 PM, Jarkko Sakkinen wrote:
> On Tue, 30 Oct 2018, Roberto Sassu wrote:
>> This patch ensures that the digest size returned by the TPM during a PCR
>> read matches the size of the algorithm passed as argument to
>> tpm2_pcr_read(). The check is performed after information about the PCR
>> banks has been retrieved.
>>
>> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> 
> What is the scenarion when this can happen (should be explained in
> the commit message)?

Without an HMAC session, the request/response payload can be modified.
This patch ensures that the digest size in the payload is equal to the
size of the algorithm specified by the caller.

Patch 3/5 only ensures that there is no buffer overflow when data is
copied to the tpm_digest structure passed by the caller.

Patch 5/5 uses the PCR bank information introduced in patch 4/5 to
ensure that the exact amount of data is copied from the response
payload. However, the patch may not help because an attacker can modify
the algorithm in the request payload so that the TPM returns a shorter
digest.

For me it is ok to remove this patch from the set. It was requested by
Mimi.

Roberto

-- 
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ