From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "Jarkko Sakkinen" <jarkko@kernel.org>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"Linux Crypto Mailing List" <linux-crypto@vger.kernel.org>,
"Guangwu Zhang" <guazhang@redhat.com>
Cc: "Peter Huewe" <peterhuewe@gmx.de>,
"Jason Gunthorpe" <jgg@ziepe.ca>,
<linux-integrity@vger.kernel.org>
Subject: Re: [PATCH] hwrng: core - Add WARN_ON for buggy read return values
Date: Mon, 23 Sep 2024 11:07:13 +0300 [thread overview]
Message-ID: <D4DICMSZJXCG.8X4SU03FPJ4X@kernel.org> (raw)
In-Reply-To: <D4DI1M1ELFXK.2COGZN6O5HABD@kernel.org>
On Mon Sep 23, 2024 at 10:52 AM EEST, Jarkko Sakkinen wrote:
> On Mon Sep 23, 2024 at 9:05 AM EEST, Herbert Xu wrote:
> > Dear TPM maintainers:
>
> There's really only just me (for past 10 years). Maybe that should be
> updatred.
>
> >
> > Please have a look at the tpm hwrng driver because it appears to
> > be returning a length longer than the buffer length that we gave
> > it. In particular, tpm2 appears to be the culprit (though I didn't
> > really check tpm1 at all so it could also be buggy).
> >
> > The following patch hopefully should confirm that this is indeed
> > caused by TPM and not some other HWRNG driver.
>
>
>
>
> >
> > ---8<---
> > If a buggy driver returns a length that is longer than the size
> > of the buffer provided to it, then this may lead to a buffer overread
> > in the caller.
> >
> > Stop this by adding a check for it in the hwrng core.
> >
> > Reported-by: Guangwu Zhang <guazhang@redhat.com>
> > Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> >
> > diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c
> > index 57c51efa5613..018316f54621 100644
> > --- a/drivers/char/hw_random/core.c
> > +++ b/drivers/char/hw_random/core.c
> > @@ -181,8 +181,15 @@ static inline int rng_get_data(struct hwrng *rng, u8 *buffer, size_t size,
> > int present;
> >
> > BUG_ON(!mutex_is_locked(&reading_mutex));
> > - if (rng->read)
> > - return rng->read(rng, (void *)buffer, size, wait);
> > + if (rng->read) {
> > + int err;
> > +
> > + err = rng->read(rng, buffer, size, wait);
> > + if (WARN_ON_ONCE(err > 0 && err > size))
>
> Are you sure you want to use WARN_ON_ONCE here instead of
> pr_warn_once()? I.e. is it worth of taking down the whole
> kernel?
I looked at tpm2_get_random() and it is pretty inefficient (not same
as saying it has a bug). I'd love to reimplement it.
We would be better of it would pull random let's say with 256 byte
or 512 byte chunks and cache that internal to tpm_chip. Then the
requests would be served from that pre-fetched pool and not do
round-trip to TPM every single time.
This would improve overall kernel performance given the reduced
number of wait states. I wonder if anyone knows what would be a
good fetch size that will work on most TPM2 chips?
BR, Jarkko
next prev parent reply other threads:[~2024-09-23 8:07 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-23 6:05 [PATCH] hwrng: core - Add WARN_ON for buggy read return values Herbert Xu
2024-09-23 7:52 ` Jarkko Sakkinen
2024-09-23 8:07 ` Jarkko Sakkinen [this message]
2024-09-23 8:09 ` Jarkko Sakkinen
2024-09-23 9:26 ` Herbert Xu
2024-09-23 14:31 ` Jarkko Sakkinen
2024-09-23 14:36 ` Jarkko Sakkinen
2024-09-23 14:48 ` Greg KH
2024-09-23 20:46 ` Jarkko Sakkinen
2024-09-23 22:32 ` Herbert Xu
2024-09-24 16:05 ` Jarkko Sakkinen
2024-09-24 17:43 ` Jarkko Sakkinen
2024-09-27 0:42 ` Herbert Xu
2024-10-07 23:28 ` Jarkko Sakkinen
2025-04-07 5:19 ` Herbert Xu
2025-04-07 6:26 ` [PATCH] tpm: Mask TPM RC in tpm2_start_auth_session() Jarkko Sakkinen
2025-04-07 7:17 ` [PATCH v2] " Jarkko Sakkinen
2025-04-07 7:20 ` [PATCH v3] " Jarkko Sakkinen
2025-04-07 8:04 ` Stefano Garzarella
2025-04-07 11:30 ` Jarkko Sakkinen
2025-04-07 13:20 ` Stefano Garzarella
2025-04-07 12:28 ` [PATCH v4] " Jarkko Sakkinen
2025-04-07 12:32 ` Jarkko Sakkinen
2025-04-07 13:51 ` Stefano Garzarella
2025-04-07 18:13 ` Jarkko Sakkinen
2025-04-08 16:03 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D4DICMSZJXCG.8X4SU03FPJ4X@kernel.org \
--to=jarkko@kernel.org \
--cc=guazhang@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=jgg@ziepe.ca \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=peterhuewe@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.