| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 Apr 2019 12:06:07 -0700
From: Kees Cook <keescook@...omium.org>
To: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
Cc: Jason Gunthorpe <jgg@...pe.ca>,
James Bottomley <James.Bottomley@...senpartnership.com>,
Phil Baker <baker1tex@...il.com>,
Craig Robson <craig@...tt.com>,
Laura Abbott <labbott@...hat.com>,
Tomas Winkler <tomas.winkler@...el.com>,
linux-kernel@...r.kernel.org, Peter Huewe <peterhuewe@....de>,
Arnd Bergmann <arnd@...db.de>, linux-integrity@...r.kernel.org
Subject: [PATCH v3] tpm: Actually fail on TPM errors during "get random"
A "get random" may fail with a TPM error, but those codes were returned
as-is to the caller, which assumed the result was the number of bytes
that had been written to the target buffer, which could lead to a kernel
heap memory exposure and over-read.
This fixes tpm1_get_random() to mask positive TPM errors into -EIO, as
before.
[ 18.092103] tpm tpm0: A TPM error (379) occurred attempting get random
[ 18.092106] usercopy: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64' (offset 0, size 379)!
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1650989
Reported-by: Phil Baker <baker1tex@...il.com>
Reported-by: Craig Robson <craig@...tt.com>
Fixes: 7aee9c52d7ac ("tpm: tpm1: rewrite tpm1_get_random() using tpm_buf structure")
Cc: Laura Abbott <labbott@...hat.com>
Cc: Tomas Winkler <tomas.winkler@...el.com>
Cc: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
Cc: stable@...r.kernel.org
Signed-off-by: Kees Cook <keescook@...omium.org>
---
v3: fix never-succeed, limit checks to tpm cmd return (James, Jason)
v2: also fix tpm2 implementation (Jason Gunthorpe)
---
drivers/char/tpm/tpm1-cmd.c | 7 +++++--
drivers/char/tpm/tpm2-cmd.c | 7 +++++--
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/char/tpm/tpm1-cmd.c b/drivers/char/tpm/tpm1-cmd.c
index 85dcf2654d11..faacbe1ffa1a 100644
--- a/drivers/char/tpm/tpm1-cmd.c
+++ b/drivers/char/tpm/tpm1-cmd.c
@@ -510,7 +510,7 @@ struct tpm1_get_random_out {
*
* Return:
* * number of bytes read
- * * -errno or a TPM return code otherwise
+ * * -errno (positive TPM return codes are masked to -EIO)
*/
int tpm1_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
{
@@ -531,8 +531,11 @@ int tpm1_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
rc = tpm_transmit_cmd(chip, &buf, sizeof(out->rng_data_len),
"attempting get random");
- if (rc)
+ if (rc) {
+ if (rc > 0)
+ rc = -EIO;
goto out;
+ }
out = (struct tpm1_get_random_out *)&buf.data[TPM_HEADER_SIZE];
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index e74c5b7b64bf..8ffa6af61580 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -301,7 +301,7 @@ struct tpm2_get_random_out {
*
* Return:
* size of the buffer on success,
- * -errno otherwise
+ * -errno otherwise ((positive TPM return codes are masked to -EIO)
*/
int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
{
@@ -328,8 +328,11 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
offsetof(struct tpm2_get_random_out,
buffer),
"attempting get random");
- if (err)
+ if (err) {
+ if (err > 0)
+ err = -EIO;
goto out;
+ }
out = (struct tpm2_get_random_out *)
&buf.data[TPM_HEADER_SIZE];
--
2.17.1
--
Kees Cook
Powered by blists - more mailing lists