lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0e70681f-85c2-43f9-822a-2e07776c37c9@amd.com>
Date: Wed, 28 Feb 2024 16:46:57 +0530
From: Shyam Sundar S K <Shyam-sundar.S-k@....com>
To: Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>,
 Armin Wolf <W_Armin@....de>
Cc: Hans de Goede <hdegoede@...hat.com>, platform-driver-x86@...r.kernel.org,
 LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2 2/2] platform/x86/amd/pmf: Fix possible out-of-bound
 memory accesses

Hi Ilpo,

On 2/27/2024 21:15, Ilpo Järvinen wrote:
> Hi Shyam & Armin,
> 
> Shyam, please take a look at the question below.
> 
> On Tue, 27 Feb 2024, Armin Wolf wrote:
> 
>> The length of the policy buffer is not validated before accessing it,
>> which means that multiple out-of-bounds memory accesses can occur.
>>
>> This is especially bad since userspace can load policy binaries over
>> debugfs.
> 

IMO, this patch is not required, reason being:
- the debugfs patch gets created only when CONFIG_AMD_PMF_DEBUG is
enabled.
- Sideload of policy binaries is only supported with a valid signing
key. (think like this can be tested & verified within AMD environment)
- Also, in amd_pmf_get_pb_data() there are boundary conditions that
are being checked. Is that not sufficient enough?

>> +	if (dev->policy_sz < POLICY_COOKIE_LEN + sizeof(length))
>> +		return -EINVAL;
>> +
>>  	cookie = *(u32 *)(dev->policy_buf + POLICY_COOKIE_OFFSET);
>>  	length = *(u32 *)(dev->policy_buf + POLICY_COOKIE_LEN);
> 
> This starts to feel like adding a struct for the header(?) would be better
> course of action here as then one could compare against sizeof(*header) 
> and avoid all those casts (IMO, just access the header fields directly 
> w/o the local variables).
Not sure if I get your question clearly. Can you elaborate a bit more
on the struct you are envisioning?

but IHMO, we actually don't need a struct - as all that we would need
is to make sure the signing cookie is part of the policy binary and
leave the rest of the error handling to ASP/TEE modules (we can rely
on the feedback from those modules).

> 
> Shyam, do you think a struct makes sense here? There's some header in 
> this policy, right?

Yes, the policy binary on a whole has multiple sections within it and
there are multiple headers (like signing, OEM header, etc).

But that might be not real interest to the PMF driver. The only thing
the driver has to make sure is that the policy binary going into ASP
(AMD Secure Processor) is with in the limits and has a valid signing
cookie. So this part is already taken care in the current code.

> 
> 
> There are more thing to address here...
> 
> 1) amd_pmf_start_policy_engine() function returns -EINVAL & res that is 
>    TA_PMF_* which inconsistent in type of the return value
> 

ah! it has mix of both int and u32 :-)

Armin, would you like to amend this in your current series? or else I
will submit a change for this in my next series.

Thanks,
Shyam

> 2) Once 1) is fixed, the caller shadowing the return code can be fixed as 
>    well:
>         ret = amd_pmf_start_policy_engine(dev);
>         if (ret)
>                 return -EINVAL;
> 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ