From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jarkko Sakkinen Subject: Re: [PATCH] tpm: check size of response before accessing data Date: Tue, 10 Jan 2017 00:59:54 +0200 Message-ID: <20170109225954.zcd3ep4ul6o7x3ly@intel.com> References: <1483618284-3470-1-git-send-email-stefanb@linux.vnet.ibm.com> <20170109160538.gwvksj253wl2v5oy@intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: Sender: owner-linux-security-module@vger.kernel.org To: Stefan Berger Cc: tpmdd-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org List-Id: tpmdd-devel@lists.sourceforge.net On Mon, Jan 09, 2017 at 01:09:31PM -0500, Stefan Berger wrote: > On 01/09/2017 11:05 AM, Jarkko Sakkinen wrote: > > On Thu, Jan 05, 2017 at 07:11:24AM -0500, Stefan Berger wrote: > > > Check the size of the response before accesing data in > > > the response packet. This is to avoid accessing data beyond > > > the end of the response. > > > > > > Signed-off-by: Stefan Berger > > How on earth this could happen if we request only one property? > > My test program vtpmctrl ( https://github.com/stefanberger/linux-vtpm-tests > ) didn't feed the kernel a proper response to a TPM command and that's why > this code blew up. We do have a very basic check in the driver and otherwise > assume that the TPM is a trusted device responding with an expected > response. Hmm.... I guess I could add this check but I'll have to probably do a similar check at least in one other place in this patch set where I grab the metadata for commands. I guess similar issues will arise as the virtual TPMs get more common. For now I think a good guideline is 1. For new code check that validation for message size is in place. 2. Fix the old code as you bump into issus. /Jarkko