| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 Apr 2019 19:13:52 +0000
From: "Winkler, Tomas" <tomas.winkler@...el.com>
To: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
Kees Cook <keescook@...omium.org>
CC: Jason Gunthorpe <jgg@...pe.ca>,
James Bottomley <James.Bottomley@...senpartnership.com>,
Phil Baker <baker1tex@...il.com>,
Craig Robson <craig@...tt.com>,
Laura Abbott <labbott@...hat.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Peter Huewe <peterhuewe@....de>, Arnd Bergmann <arnd@...db.de>,
"linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>
Subject: RE: [PATCH v3] tpm: Actually fail on TPM errors during "get random"
> On Tue, Apr 02, 2019 at 02:46:25AM +0300, Jarkko Sakkinen wrote:
> > On Mon, Apr 01, 2019 at 12:06:07PM -0700, Kees Cook wrote:
> > > A "get random" may fail with a TPM error, but those codes were
> > > returned as-is to the caller, which assumed the result was the
> > > number of bytes that had been written to the target buffer, which
> > > could lead to a kernel heap memory exposure and over-read.
> > >
> > > This fixes tpm1_get_random() to mask positive TPM errors into -EIO,
> > > as before.
> > >
> > > [ 18.092103] tpm tpm0: A TPM error (379) occurred attempting get
> random
> > > [ 18.092106] usercopy: Kernel memory exposure attempt detected from
> SLUB object 'kmalloc-64' (offset 0, size 379)!
> > >
> > > Link: https://bugzilla.redhat.com/show_bug.cgi?id=1650989
> > > Reported-by: Phil Baker <baker1tex@...il.com>
> > > Reported-by: Craig Robson <craig@...tt.com>
> > > Fixes: 7aee9c52d7ac ("tpm: tpm1: rewrite tpm1_get_random() using
> > > tpm_buf structure")
> > > Cc: Laura Abbott <labbott@...hat.com>
> > > Cc: Tomas Winkler <tomas.winkler@...el.com>
> > > Cc: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
> > > Cc: stable@...r.kernel.org
> > > Signed-off-by: Kees Cook <keescook@...omium.org>
> > > ---
> > > v3: fix never-succeed, limit checks to tpm cmd return (James, Jason)
> > > v2: also fix tpm2 implementation (Jason Gunthorpe)
> > > ---
> > > drivers/char/tpm/tpm1-cmd.c | 7 +++++--
> > > drivers/char/tpm/tpm2-cmd.c | 7 +++++--
> > > 2 files changed, 10 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/drivers/char/tpm/tpm1-cmd.c
> > > b/drivers/char/tpm/tpm1-cmd.c index 85dcf2654d11..faacbe1ffa1a
> > > 100644
> > > --- a/drivers/char/tpm/tpm1-cmd.c
> > > +++ b/drivers/char/tpm/tpm1-cmd.c
> > > @@ -510,7 +510,7 @@ struct tpm1_get_random_out {
> > > *
> > > * Return:
> > > * * number of bytes read
> > > - * * -errno or a TPM return code otherwise
> > > + * * -errno (positive TPM return codes are masked to -EIO)
> > > */
> > > int tpm1_get_random(struct tpm_chip *chip, u8 *dest, size_t max) {
> > > @@ -531,8 +531,11 @@ int tpm1_get_random(struct tpm_chip *chip, u8
> > > *dest, size_t max)
> > >
> > > rc = tpm_transmit_cmd(chip, &buf, sizeof(out->rng_data_len),
> > > "attempting get random");
> > > - if (rc)
> > > + if (rc) {
> > > + if (rc > 0)
> > > + rc = -EIO;
> > > goto out;
> > > + }
> > >
> > > out = (struct tpm1_get_random_out
> *)&buf.data[TPM_HEADER_SIZE];
> > >
> > > diff --git a/drivers/char/tpm/tpm2-cmd.c
> > > b/drivers/char/tpm/tpm2-cmd.c index e74c5b7b64bf..8ffa6af61580
> > > 100644
> > > --- a/drivers/char/tpm/tpm2-cmd.c
> > > +++ b/drivers/char/tpm/tpm2-cmd.c
> > > @@ -301,7 +301,7 @@ struct tpm2_get_random_out {
> > > *
> > > * Return:
> > > * size of the buffer on success,
> > > - * -errno otherwise
> > > + * -errno otherwise ((positive TPM return codes are masked to -EIO)
> > > */
> > > int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max) {
> > > @@ -328,8 +328,11 @@ int tpm2_get_random(struct tpm_chip *chip, u8
> *dest, size_t max)
> > > offsetof(struct tpm2_get_random_out,
> > > buffer),
> > > "attempting get random");
> > > - if (err)
> > > + if (err) {
> > > + if (err > 0)
> > > + err = -EIO;
> > > goto out;
> > > + }
> > >
> > > out = (struct tpm2_get_random_out *)
> > > &buf.data[TPM_HEADER_SIZE];
> > > --
> > > 2.17.1
> > >
> > >
> > > --
> > > Kees Cook
> >
> > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
>
> Applied to my master branch. Jason, Tomas, do you want me to add reviewed-
> by's?
Sure, it fixes my patch.
> /Jarkko
Powered by blists - more mailing lists