[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <b85fa669-d3aa-f6c9-9631-988ae47e392c@redhat.com>
Date: Tue, 7 Jan 2020 13:51:59 -0500
From: Laura Abbott <labbott@...hat.com>
To: Tadeusz Struk <tadeusz.struk@...el.com>,
Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
Cc: "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Kees Cook <keescook@...omium.org>
Subject: Bad usercopy from tpm after d23d12484307 ("tpm: fix invalid locking
in NONBLOCKING mode")
Hi,
Fedora got two bug reports https://bugzilla.redhat.com/show_bug.cgi?id=1788653
https://bugzilla.redhat.com/show_bug.cgi?id=1788257 of a usercopy bug from
tpm:
[ 67.037526] usercopy: Kernel memory exposure attempt detected from wrapped address (offset 0, size 18446634686907596985)!
[ 67.037541] ------------[ cut here ]------------
[ 67.037543] kernel BUG at mm/usercopy.c:99!
[ 67.037550] invalid opcode: 0000 [#1] SMP PTI
[ 67.037553] CPU: 1 PID: 3277 Comm: tpm2-abrmd Not tainted 5.4.7-200.fc31.x86_64 #1
[ 67.037555] Hardware name: Dell Inc. Latitude 5580/0FH6CJ, BIOS 1.16.0 07/03/2019
[ 67.037562] RIP: 0010:usercopy_abort+0x77/0x79
[ 67.037565] Code: 4c 0f 45 de 51 4c 89 d1 48 c7 c2 e3 ce 35 b0 57 48 c7 c6 30 80 34 b0 48 c7 c7 a8 cf 35 b0 48 0f 45 f2 4c 89 da e8 50 6c e4 ff <0f> 0b 4c 89 e1 49 89 d8 44 89 ea 31 f6 48 29 c1 48 c7 c7 25 cf 35
[ 67.037567] RSP: 0018:ffffae5b42eabe48 EFLAGS: 00010246
[ 67.037570] RAX: 000000000000006d RBX: ffffffffffffffff RCX: 0000000000000000
[ 67.037572] RDX: 0000000000000000 RSI: ffff9c83b6257908 RDI: ffff9c83b6257908
[ 67.037574] RBP: ffff9c836686c0b9 R08: ffff9c83b6257908 R09: 000000000000007c
[ 67.037576] R10: ffffae5b42eabcf8 R11: 0000000000000000 R12: ffff9c836686c0ba
[ 67.037578] R13: 0000000000000001 R14: ffff9c836686c010 R15: ffff9c836686c0ba
[ 67.037580] FS: 00007fb2dbfff700(0000) GS:ffff9c83b6240000(0000) knlGS:0000000000000000
[ 67.037582] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 67.037584] CR2: 00007fc1137f3e00 CR3: 00000002205c4002 CR4: 00000000003606e0
[ 67.037586] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 67.037588] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 67.037589] Call Trace:
[ 67.037595] __check_object_size.cold+0x46/0x80
[ 67.037600] tpm_common_read+0x74/0x140
[ 67.037605] vfs_read+0x9d/0x150
[ 67.037610] ksys_read+0x5f/0xe0
[ 67.037615] do_syscall_64+0x5b/0x1a0
[ 67.037620] entry_SYSCALL_64_after_hwframe+0x44/0xa9
I think this is related to d23d12484307 ("tpm: fix invalid locking in NONBLOCKING mode")
Specifically, if tpm_try_get_ops fails I don't think we should be putting the error
code in priv->response_length since tpm_common_read doesn't seem to account for
negative errno values.
I don't have a reproducer since this was just what was reported to Fedora's bug
reporter but both reports happened after that commit landed in stable.
Thanks,
Laura
Powered by blists - more mailing lists