From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: tpmdd-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org
Subject: Re: [PATCH] tpm: check size of response before accessing data
Date: Tue, 10 Jan 2017 10:55:04 +0200 [thread overview]
Message-ID: <20170110085504.vq75huvlysafoeem@intel.com> (raw)
In-Reply-To: <e552f37e-9b82-96a6-69e1-9398520bf5dd@linux.vnet.ibm.com>
On Mon, Jan 09, 2017 at 07:15:29PM -0500, Stefan Berger wrote:
> On 01/09/2017 05:59 PM, Jarkko Sakkinen wrote:
> > On Mon, Jan 09, 2017 at 01:09:31PM -0500, Stefan Berger wrote:
> > > On 01/09/2017 11:05 AM, Jarkko Sakkinen wrote:
> > > > On Thu, Jan 05, 2017 at 07:11:24AM -0500, Stefan Berger wrote:
> > > > > Check the size of the response before accesing data in
> > > > > the response packet. This is to avoid accessing data beyond
> > > > > the end of the response.
> > > > >
> > > > > Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
> > > > How on earth this could happen if we request only one property?
> > > My test program vtpmctrl ( https://github.com/stefanberger/linux-vtpm-tests
> > > ) didn't feed the kernel a proper response to a TPM command and that's why
> > > this code blew up. We do have a very basic check in the driver and otherwise
> > > assume that the TPM is a trusted device responding with an expected
> > > response.
> > Hmm.... I guess I could add this check but I'll have to probably
> > do a similar check at least in one other place in this patch set
> > where I grab the metadata for commands.
> >
> > I guess similar issues will arise as the virtual TPMs get more
> > common. For now I think a good guideline is
> >
> > 1. For new code check that validation for message size is in place.
>
> Before accessing data in the response, make sure we don't access beyond the
> number of bytes returned.
>
> > 2. Fix the old code as you bump into issus.
>
> It doesn't look too bad. I would rebase my current patch on your master tree
> and submit a few small other ones with it. Agrred?
Hmm. Are you talking about stuff you are adding to the tpm2-space.c.
For me it is less trouble to add checks myself than applying 3rd party
patches while preparing the next patch set version. This is only
overhead for me and I will anyway would squash these checks to my
own commits.
>
> Stefan
>
/Jarkko
> >
> > /Jarkko
> >
>
prev parent reply other threads:[~2017-01-10 8:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-05 12:11 [PATCH] tpm: check size of response before accessing data Stefan Berger
[not found] ` <1483618284-3470-1-git-send-email-stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-01-05 12:14 ` [PATCH] tpm: check size of response before accessingdata Stefan Berger
2017-01-09 16:05 ` [PATCH] tpm: check size of response before accessing data Jarkko Sakkinen
[not found] ` <20170109160538.gwvksj253wl2v5oy-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-01-09 16:15 ` Jason Gunthorpe
2017-01-09 18:09 ` Stefan Berger
2017-01-09 22:59 ` Jarkko Sakkinen
2017-01-10 0:15 ` Stefan Berger
2017-01-10 8:55 ` Jarkko Sakkinen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170110085504.vq75huvlysafoeem@intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=linux-security-module@vger.kernel.org \
--cc=stefanb@linux.vnet.ibm.com \
--cc=tpmdd-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.