lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <D3GPGYHWPGFL.1S13HXY9ALZCU@kernel.org>
Date: Thu, 15 Aug 2024 21:44:01 +0300
From: "Jarkko Sakkinen" <jarkko@...nel.org>
To: "Jonathan McDowell" <noodles@...th.li>,
 <linux-integrity@...r.kernel.org>
Cc: <linux-kernel@...r.kernel.org>, "Peter Huewe" <peterhuewe@....de>,
 "Jason Gunthorpe" <jgg@...pe.ca>
Subject: Re: [RFC] [PATCH] tpm: Clean up TPM space after command failure

On Wed Aug 14, 2024 at 7:19 PM EEST, Jonathan McDowell wrote:
> We've been seeing a problem where TPM commands time out, which if
> they're the last command before the TPM device is closed causes a leak
> of transient handles. They can be seen and cleaned up (with a flush
> context) if the /dev/tpm0 device is used instead of /dev/tpmrm0, but it
> seems like we should be doing this automatically on the transmit error
> path. Patch below adds a tpm2_flush_space on error to avoid this.
>
> Does this seem reasonable? The other query is whether tpm2_del_space
> should cleanup the contexts as well, rather than just the sessions.
>
> (Obviously in an ideal world we wouldn't see the timeouts at all, and
> I'm still trying to work on getting to the bottom of these, which are
> generally infrequent, but happening enough across our fleet that we were
> able to observe this handle leak.)

Seems reasonable without this story ;-) I get that this is here because
of query np.

>
> From: Jonathan McDowell <noodles@...a.com>
>
> tpm_dev_transmit prepares the TPM space before attempting command
> transmission. However if the command fails no rollback of this
> preparation is done. This can result in transient handles being leaked
> if the device is subsequently closed with no further commands performed.
>
> Fix this by flushing the space in the event of command transmission
> failure.
>
> Signed-off-by: Jonathan McDowell <noodles@...a.com>

I would consider fixes tag for this even! I think it can be
classified as a minor bug. I implemented this feature together
with James Bottomley so would be nice to get some feedback
also from him (as a sanity check)>

>
> ---

Just as a tip: if you put stuff here like supplemental commets the won't
get included when the commit is finally applied (also a popular place
for change log).

>  drivers/char/tpm/tpm-dev-common.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c
> index 30b4c288c1bb..c3fbbf4d3db7 100644
> --- a/drivers/char/tpm/tpm-dev-common.c
> +++ b/drivers/char/tpm/tpm-dev-common.c
> @@ -47,6 +47,8 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space,
>  
>  	if (!ret)
>  		ret = tpm2_commit_space(chip, space, buf, &len);
> +	else
> +		tpm2_flush_space(chip);
>  
>  out_rc:
>  	return ret ? ret : len;

Can you send v2 with fixes tag and James as cc.

Since you have such a long cover letter you could possibly:

git format-patch -1 -v2 --cover-letter

Then just move that text in front to 00/01.

BR, Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ