lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190401190955.GJ6209@ziepe.ca>
Date:   Mon, 1 Apr 2019 16:09:55 -0300
From:   Jason Gunthorpe <jgg@...pe.ca>
To:     Kees Cook <keescook@...omium.org>
Cc:     Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
        James Bottomley <James.Bottomley@...senpartnership.com>,
        Phil Baker <baker1tex@...il.com>,
        Craig Robson <craig@...tt.com>,
        Laura Abbott <labbott@...hat.com>,
        Tomas Winkler <tomas.winkler@...el.com>,
        linux-kernel@...r.kernel.org, Peter Huewe <peterhuewe@....de>,
        Arnd Bergmann <arnd@...db.de>, linux-integrity@...r.kernel.org
Subject: Re: [PATCH v3] tpm: Actually fail on TPM errors during "get random"

On Mon, Apr 01, 2019 at 12:06:07PM -0700, Kees Cook wrote:
> A "get random" may fail with a TPM error, but those codes were returned
> as-is to the caller, which assumed the result was the number of bytes
> that had been written to the target buffer, which could lead to a kernel
> heap memory exposure and over-read.
> 
> This fixes tpm1_get_random() to mask positive TPM errors into -EIO, as
> before.
> 
> [   18.092103] tpm tpm0: A TPM error (379) occurred attempting get random
> [   18.092106] usercopy: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64' (offset 0, size 379)!
> 
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1650989
> Reported-by: Phil Baker <baker1tex@...il.com>
> Reported-by: Craig Robson <craig@...tt.com>
> Fixes: 7aee9c52d7ac ("tpm: tpm1: rewrite tpm1_get_random() using tpm_buf structure")
> Cc: Laura Abbott <labbott@...hat.com>
> Cc: Tomas Winkler <tomas.winkler@...el.com>
> Cc: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
> Cc: stable@...r.kernel.org
> Signed-off-by: Kees Cook <keescook@...omium.org>
> v3: fix never-succeed, limit checks to tpm cmd return (James, Jason)
> v2: also fix tpm2 implementation (Jason Gunthorpe)
>  drivers/char/tpm/tpm1-cmd.c | 7 +++++--
>  drivers/char/tpm/tpm2-cmd.c | 7 +++++--
>  2 files changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/char/tpm/tpm1-cmd.c b/drivers/char/tpm/tpm1-cmd.c
> index 85dcf2654d11..faacbe1ffa1a 100644
> +++ b/drivers/char/tpm/tpm1-cmd.c
> @@ -510,7 +510,7 @@ struct tpm1_get_random_out {
>   *
>   * Return:
>   * *  number of bytes read
> - * * -errno or a TPM return code otherwise
> + * * -errno (positive TPM return codes are masked to -EIO)
>   */
>  int tpm1_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
>  {
> @@ -531,8 +531,11 @@ int tpm1_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
>  
>  		rc = tpm_transmit_cmd(chip, &buf, sizeof(out->rng_data_len),
>  				      "attempting get random");
> -		if (rc)
> +		if (rc) {
> +			if (rc > 0)
> +				rc = -EIO;
>  			goto out;
> +		}
>  
>  		out = (struct tpm1_get_random_out *)&buf.data[TPM_HEADER_SIZE];
>  
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index e74c5b7b64bf..8ffa6af61580 100644
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -301,7 +301,7 @@ struct tpm2_get_random_out {
>   *
>   * Return:
>   *   size of the buffer on success,
> - *   -errno otherwise
> + *   -errno otherwise ((positive TPM return codes are masked to -EIO)

Extra bracket, but otherwise looks fine to me

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ