lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 7 Jan 2020 13:51:59 -0500
From:   Laura Abbott <labbott@...hat.com>
To:     Tadeusz Struk <tadeusz.struk@...el.com>,
        Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
Cc:     "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Kees Cook <keescook@...omium.org>
Subject: Bad usercopy from tpm after d23d12484307 ("tpm: fix invalid locking
 in NONBLOCKING mode")

Hi,

Fedora got two bug reports https://bugzilla.redhat.com/show_bug.cgi?id=1788653
https://bugzilla.redhat.com/show_bug.cgi?id=1788257 of a usercopy bug from
tpm:

[   67.037526] usercopy: Kernel memory exposure attempt detected from wrapped address (offset 0, size 18446634686907596985)!
[   67.037541] ------------[ cut here ]------------
[   67.037543] kernel BUG at mm/usercopy.c:99!
[   67.037550] invalid opcode: 0000 [#1] SMP PTI
[   67.037553] CPU: 1 PID: 3277 Comm: tpm2-abrmd Not tainted 5.4.7-200.fc31.x86_64 #1
[   67.037555] Hardware name: Dell Inc. Latitude 5580/0FH6CJ, BIOS 1.16.0 07/03/2019
[   67.037562] RIP: 0010:usercopy_abort+0x77/0x79
[   67.037565] Code: 4c 0f 45 de 51 4c 89 d1 48 c7 c2 e3 ce 35 b0 57 48 c7 c6 30 80 34 b0 48 c7 c7 a8 cf 35 b0 48 0f 45 f2 4c 89 da e8 50 6c e4 ff <0f> 0b 4c 89 e1 49 89 d8 44 89 ea 31 f6 48 29 c1 48 c7 c7 25 cf 35
[   67.037567] RSP: 0018:ffffae5b42eabe48 EFLAGS: 00010246
[   67.037570] RAX: 000000000000006d RBX: ffffffffffffffff RCX: 0000000000000000
[   67.037572] RDX: 0000000000000000 RSI: ffff9c83b6257908 RDI: ffff9c83b6257908
[   67.037574] RBP: ffff9c836686c0b9 R08: ffff9c83b6257908 R09: 000000000000007c
[   67.037576] R10: ffffae5b42eabcf8 R11: 0000000000000000 R12: ffff9c836686c0ba
[   67.037578] R13: 0000000000000001 R14: ffff9c836686c010 R15: ffff9c836686c0ba
[   67.037580] FS:  00007fb2dbfff700(0000) GS:ffff9c83b6240000(0000) knlGS:0000000000000000
[   67.037582] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   67.037584] CR2: 00007fc1137f3e00 CR3: 00000002205c4002 CR4: 00000000003606e0
[   67.037586] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   67.037588] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   67.037589] Call Trace:
[   67.037595]  __check_object_size.cold+0x46/0x80
[   67.037600]  tpm_common_read+0x74/0x140
[   67.037605]  vfs_read+0x9d/0x150
[   67.037610]  ksys_read+0x5f/0xe0
[   67.037615]  do_syscall_64+0x5b/0x1a0
[   67.037620]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

I think this is related to d23d12484307 ("tpm: fix invalid locking in NONBLOCKING mode")
Specifically, if tpm_try_get_ops fails I don't think we should be putting the error
code in priv->response_length since tpm_common_read doesn't seem to account for
negative errno values.

I don't have a reproducer since this was just what was reported to Fedora's bug
reporter but both reports happened after that commit landed in stable.

Thanks,
Laura

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ