lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190118151827.GK4080@linux.intel.com>
Date:   Fri, 18 Jan 2019 17:18:27 +0200
From:   Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
To:     Jia Zhang <zhang.jia@...ux.alibaba.com>
Cc:     peterhuewe@....de, jgg@...pe.ca, tweek@...gle.com,
        linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] tpm/eventlog/tpm1: Simplify walking over *pos
 measurements

On Thu, Jan 17, 2019 at 09:32:55AM +0800, Jia Zhang wrote:
> 
> 
> On 2019/1/17 上午6:09, Jarkko Sakkinen wrote:
> > Please use "tpm:" tag for commits, not "tpm/eventlog/tpm1".
> > 
> > On Fri, Jan 11, 2019 at 04:59:32PM +0800, Jia Zhang wrote:
> >> The responsibility of tpm1_bios_measurements_start() is to walk
> >> over the first *pos measurements, ensuring the skipped and
> >> to-be-read measurements are not out-of-boundary.
> >>
> >> Current logic is complicated a bit. Just employ a do-while loop
> >> with necessary sanity check, and then get the goal.
> >>
> >> Signed-off-by: Jia Zhang <zhang.jia@...ux.alibaba.com>
> > 
> > What does this fix? Even if the current logic is "complicated", it is
> > still a pretty simple functiion.
> 
> 
> OK. Let me point out the fix part. Here is the original implementation:
> 
>  87         /* read over *pos measurements */
>  88         for (i = 0; i < *pos; i++) {
>  89                 event = addr;
>  90
>  91                 converted_event_size =
>  92                     do_endian_conversion(event->event_size);
>  93                 converted_event_type =
>  94                     do_endian_conversion(event->event_type);
>  95
>  96                 if ((addr + sizeof(struct tcpa_event)) < limit) {
>  97                         if ((converted_event_type == 0) &&
>  98                             (converted_event_size == 0))
>  99                                 return NULL;
> 100                         addr += (sizeof(struct tcpa_event) +
> 101                                  converted_event_size);
> 102                 }
> 103         }
> 
> The problem (just ignore all off-by-1 issues) is that accessing to
> event_size and event_type is not pre-checked carefully. In the latter
> part of tpm1_bios_measurements_start() and
> tpm1_bios_measurements_next(), there is a fixed patter to do the sanity
> check like this:
> 
> 136         /* now check if current entry is valid */
> 137         if ((v + sizeof(struct tcpa_event)) >= limit)
> 138                 return NULL;
> 
> So if we simply change this read-over chunk with sanity check like this:
> 
>         /* read over *pos measurements */
>         for (i = 0; i < *pos; i++) {
>                 event = addr;
> 
>                 if ((addr + sizeof(struct tcpa_event)) >= limit)
>                         return NULL;
> 
>                 converted_event_size =
>                     do_endian_conversion(event->event_size);
>                 converted_event_type =
>                     do_endian_conversion(event->event_type);
> 
>                 if ((converted_event_type == 0) &&
>                     (converted_event_size == 0))
>                         return NULL;
>                 addr += (sizeof(struct tcpa_event) +
>                          converted_event_size);
>         }
> 
> We will get two highly similar code chunks in
> tpm1_bios_measurements_start(). Here is the latter part:
> 
> 106         /* now check if current entry is valid */
> 107         if ((addr + sizeof(struct tcpa_event)) >= limit)
> 108                 return NULL;
> 109
> 110         event = addr;
> 111
> 112         converted_event_size = do_endian_conversion(event->event_size);
> 113         converted_event_type = do_endian_conversion(event->event_type);
> 114
> 115         if (((converted_event_type == 0) && (converted_event_size == 0))
> 116             || ((addr + sizeof(struct tcpa_event) +
> converted_event_size)
> 117                 >= limit))
> 118                 return NULL;
> 119
> 120         return addr;
> 
> So using a do while logic can simply merge them together and thus simply
> and optimize the logic of walking over *pos measurements.
> 
> Sorry I admit my initial motivation is to fix up the sanity check
> problem. If you would like to accept the optimization part, I will split
> this patch.

OK, got it now. I think I will apply this! Will take a while because
of https://lkml.org/lkml/2019/1/18/485. Will not apply new patches
before that is rooted.

/Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ