Re: [PATCH] Add TPM hardware enablement driver

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jeff Garzik <jgarzik@pobox.com>
To: Kylene Hall <kjhall@us.ibm.com>
Cc: Greg K-H <greg@kroah.com>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Add TPM hardware enablement driver
Date: Tue, 22 Mar 2005 21:02:24 -0500	[thread overview]
Message-ID: <4240CE30.2060105@pobox.com> (raw)
In-Reply-To: <Pine.LNX.4.61.0503161811020.5212@jo.austin.ibm.com>

Kylene Hall wrote:
>>what is the purpose of this pci_dev_get/put?  attempting to prevent hotplug or
>>something?
> 
> 
> Seems that since there is a refernce to the device in the chip structure 
> and I am making the file private data pointer point to that chip structure 
> this is another reference that must be accounted for. If you remove it 
> with it open and attempt read or write bad things will happen.  This isn't 
> really hotpluggable either as the TPM is on the motherboard.

My point was that there will always be a reference -anyway-, AFAICS. 
There is a pci_dev reference assigned to the pci_driver when the PCI 
driver is loaded, and all uses by the TPM generic code of this pointer 
are -inside- the pci_driver's pci_dev object lifetime.


>>>+
>>>+	/* cannot perform a write until the read has cleared
>>>+	   either via tpm_read or a user_read_timer timeout */
>>>+	while (atomic_read(&chip->data_pending) != 0) {
>>>+		set_current_state(TASK_UNINTERRUPTIBLE);
>>>+		schedule_timeout(TPM_TIMEOUT);
>>
> 
>>use msleep()
> 
> 
> addressed in another patch by Nish
> 
> 
>>>+	/* atomic tpm command send and result receive */
>>>+	out_size = tpm_transmit(chip, chip->data_buffer, TPM_BUFSIZE);
>>
>>major bug?  in_size may be smaller than TPM_BUFSIZE
> 
> 
> chip->data_buffer is allocated in open and is always this size.  The 
> operation needs to be atomic so the big buffer is to cover the size of a 
> potentially larger result.  Only reading in_size from the user with 
> copy_from_user

You output -more- data than you have input.

AFAICS that's a security bug (data leak), unless you memset the data 
area beforehand.

	Jeff

next prev parent reply	other threads:[~2005-03-23  2:02 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-03-10  0:41 [BK PATCH] Add TPM driver support for 2.6.11 Greg KH
2005-03-10  0:42 ` [PATCH] Add TPM hardware enablement driver Greg KH
2005-03-10  0:42   ` [PATCH] tpm: fix cause of SMP stack traces Greg KH
2005-03-10  0:42     ` [PATCH] tpm_msc-build-fix Greg KH
2005-03-10  0:42       ` [PATCH] tpm_atmel build fix Greg KH
2005-03-10  0:42         ` [PATCH] tpm-build-fix Greg KH
2005-03-10  3:51   ` [PATCH] Add TPM hardware enablement driver Jeff Garzik
2005-03-15 23:59     ` Kylene Jo Hall
2005-03-17  0:32     ` Kylene Hall
2005-03-23  2:02       ` Jeff Garzik [this message]
2005-03-24  6:39         ` Greg KH
2005-03-24 21:04           ` Jeff Garzik
2005-03-24 21:33             ` Greg KH
2005-04-05 16:14               ` Kylene Jo Hall
2005-04-08 20:07                 ` Kylene Jo Hall
2005-04-09  8:31                   ` Ian Campbell
2005-04-27 22:15     ` [PATCH: 1 of 12] Fix concerns with TPM driver -- use enums Kylene Hall
2005-04-27 22:23       ` Greg KH
2005-04-27 22:15     ` [PATCH: 2 of 12 ] Fix TPM driver -- address missing const defs Kylene Hall
2005-04-27 22:16     ` [PATCH: 3 of 12] Fix TPM driver --remove unnecessary module stuff Kylene Hall
2005-04-27 22:16     ` [PATCH 4 of 12] Fix TPM driver -- read return code issue Kylene Hall
2005-04-27 22:16     ` [PATCH 5 of 12] Fix TPM driver -- large stack objects Kylene Hall
2005-04-27 22:18     ` [PATCH 6 of 12] Fix TPM driver -- how timer is initialized Kylene Hall
2005-04-27 22:18     ` [PATCH 7 of 12] Fix TPM driver -- use to_pci_dev Kylene Hall
2005-03-10 17:35   ` [PATCH] Add TPM hardware enablement driver Nish Aravamudan
2005-03-10 18:19     ` Nish Aravamudan
2005-03-10 19:09   ` [PATCH] char/tpm: use msleep(), clean-up timers, fix typo Nishanth Aravamudan
2005-03-10 21:04   ` [PATCH] Add TPM hardware enablement driver Alexey Dobriyan
2005-04-27 22:18     ` [PATCH 9 of 12] Fix TPM driver -- remove unnecessary __force Kylene Hall
2005-03-11 18:18   ` [PATCH] char/tpm: use msleep(), clean-up timers, fix typo Nishanth Aravamudan
2005-04-15 20:23     ` Kylene Hall
2005-04-15 20:44       ` Nish Aravamudan
2005-04-15 21:04         ` Greg KH
2005-04-15 21:47           ` Nish Aravamudan
2005-04-15 21:47           ` Nish Aravamudan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4240CE30.2060105@pobox.com \
    --to=jgarzik@pobox.com \
    --cc=greg@kroah.com \
    --cc=kjhall@us.ibm.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.