[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20181114153108.12907-7-roberto.sassu@huawei.com>
Date: Wed, 14 Nov 2018 16:31:07 +0100
From: Roberto Sassu <roberto.sassu@...wei.com>
To: <jarkko.sakkinen@...ux.intel.com>, <zohar@...ux.ibm.com>,
<david.safford@...com>, <monty.wiseman@...com>
CC: <linux-integrity@...r.kernel.org>,
<linux-security-module@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <silviu.vlasceanu@...wei.com>,
Roberto Sassu <roberto.sassu@...wei.com>,
<stable@...r.kernel.org>
Subject: [PATCH v5 6/7] tpm: ensure that the output of PCR read contains the correct digest size
This patch protects against data corruption that could happen in the bus,
by checking that that the digest size returned by the TPM during a PCR read
matches the size of the algorithm passed to tpm2_pcr_read().
This check is performed after information about the PCR banks has been
retrieved.
Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
Cc: stable@...r.kernel.org
---
drivers/char/tpm/tpm2-cmd.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index acaaab72ef2e..974465f04b78 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -179,15 +179,29 @@ struct tpm2_pcr_read_out {
int tpm2_pcr_read(struct tpm_chip *chip, u32 pcr_idx,
struct tpm_digest *digest_struct, u16 *digest_size_ptr)
{
+ int i;
int rc;
struct tpm_buf buf;
struct tpm2_pcr_read_out *out;
u8 pcr_select[TPM2_PCR_SELECT_MIN] = {0};
u16 digest_size;
+ u16 expected_digest_size = 0;
if (pcr_idx >= TPM2_PLATFORM_PCR)
return -EINVAL;
+ if (!digest_size_ptr) {
+ for (i = 0; i < chip->nr_allocated_banks &&
+ chip->allocated_banks[i].alg_id != digest_struct->alg_id;
+ i++)
+ ;
+
+ if (i == chip->nr_allocated_banks)
+ return -EINVAL;
+
+ expected_digest_size = chip->allocated_banks[i].digest_size;
+ }
+
rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_PCR_READ);
if (rc)
return rc;
@@ -207,7 +221,8 @@ int tpm2_pcr_read(struct tpm_chip *chip, u32 pcr_idx,
out = (struct tpm2_pcr_read_out *)&buf.data[TPM_HEADER_SIZE];
digest_size = be16_to_cpu(out->digest_size);
- if (digest_size > sizeof(digest_struct->digest)) {
+ if (digest_size > sizeof(digest_struct->digest) ||
+ (!digest_size_ptr && digest_size != expected_digest_size)) {
rc = -EINVAL;
goto out;
}
--
2.17.1
Powered by blists - more mailing lists