From: Jarkko Sakkinen <jarkko@kernel.org>
To: "Lai, Yi" <yi1.lai@linux.intel.com>
Cc: linux-integrity@vger.kernel.org, ross.philipson@oracle.com,
Jonathan McDowell <noodles@earth.li>,
Stefano Garzarella <sgarzare@redhat.com>,
Jarkko Sakkinen <jarkko.sakkinen@opinsys.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Jonathan McDowell <noodles@meta.com>,
Peter Huewe <peterhuewe@gmx.de>, Jason Gunthorpe <jgg@ziepe.ca>,
linux-kernel@vger.kernel.org, yi1.lai@intel.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH v7 01/11] tpm: Cap the number of PCR banks
Date: Wed, 3 Dec 2025 03:54:54 +0200 [thread overview]
Message-ID: <aS-YbihQhstOlpOg@kernel.org> (raw)
In-Reply-To: <aS-YQjztmfbJCKNd@kernel.org>
On Wed, Dec 03, 2025 at 03:54:15AM +0200, Jarkko Sakkinen wrote:
> On Wed, Dec 03, 2025 at 03:11:59AM +0200, Jarkko Sakkinen wrote:
> > On Wed, Dec 03, 2025 at 08:57:10AM +0800, Lai, Yi wrote:
> > > On Thu, Nov 27, 2025 at 03:54:33PM +0200, Jarkko Sakkinen wrote:
> > > > From: Jarkko Sakkinen <jarkko.sakkinen@opinsys.com>
> > > >
> > > > tpm2_get_pcr_allocation() does not cap any upper limit for the number of
> > > > banks. Cap the limit to eight banks so that out of bounds values coming
> > > > from external I/O cause on only limited harm.
> > > >
> > > > Cc: Roberto Sassu <roberto.sassu@huawei.com>
> > > > Fixes: bcfff8384f6c ("tpm: dynamically allocate the allocated_banks array")
> > > > Reviewed-By: Jonathan McDowell <noodles@meta.com>
> > > > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@opinsys.com>
> > > > ---
> > > > v7:
> > > > - In Ryzen desktop there is total three banks so yep, eight is probably
> > > > much safer bet than four banks. Fixed the commit message as per remark
> > > > from Jonathan:
> > > >
> > > > https://lore.kernel.org/linux-integrity/aPYg1N0TvrkG6AJI@earth.li/#t
> > > >
> > > > And with that added also reviewed-by.
> > > > v6
> > > > - No changes.
> > > > v5:
> > > > - No changes.
> > > > v4:
> > > > - Revert spurious changes from include/linux/tpm.h.
> > > > - Increase TPM2_MAX_BANKS to 8.
> > > > - Rename TPM2_MAX_BANKS as TPM2_MAX_PCR_BANKS for the sake of clarity.
> > > > v3:
> > > > - Wrote a more clear commit message.
> > > > - Fixed pr_err() message.
> > > > v2:
> > > > - A new patch.
> > > > ---
> > > > drivers/char/tpm/tpm-chip.c | 13 +++++++++----
> > > > drivers/char/tpm/tpm.h | 1 -
> > > > drivers/char/tpm/tpm1-cmd.c | 25 -------------------------
> > > > drivers/char/tpm/tpm2-cmd.c | 8 +++-----
> > > > include/linux/tpm.h | 8 +++++---
> > > > 5 files changed, 17 insertions(+), 38 deletions(-)
> > > >
> > > > diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
> > > > index e25daf2396d3..6cb25862688f 100644
> > > > --- a/drivers/char/tpm/tpm-chip.c
> > > > +++ b/drivers/char/tpm/tpm-chip.c
> > > > @@ -559,14 +559,19 @@ static int tpm_add_hwrng(struct tpm_chip *chip)
> > > >
> > > > static int tpm_get_pcr_allocation(struct tpm_chip *chip)
> > > > {
> > > > - int rc;
> > > > + int rc = 0;
> > > >
> > > > if (tpm_is_firmware_upgrade(chip))
> > > > return 0;
> > > >
> > > > - rc = (chip->flags & TPM_CHIP_FLAG_TPM2) ?
> > > > - tpm2_get_pcr_allocation(chip) :
> > > > - tpm1_get_pcr_allocation(chip);
> > > > + if (!(chip->flags & TPM_CHIP_FLAG_TPM2)) {
> > > > + chip->allocated_banks[0].alg_id = TPM_ALG_SHA1;
> > > > + chip->allocated_banks[0].digest_size = hash_digest_size[HASH_ALGO_SHA1];
> > > > + chip->allocated_banks[0].crypto_id = HASH_ALGO_SHA1;
> > > > + chip->nr_allocated_banks = 1;
> > > > + } else {
> > > > + rc = tpm2_get_pcr_allocation(chip);
> > > > + }
> > > >
> > > > if (rc > 0)
> > > > return -ENODEV;
> > > > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
> > > > index 2726bd38e5ac..a37712c02e44 100644
> > > > --- a/drivers/char/tpm/tpm.h
> > > > +++ b/drivers/char/tpm/tpm.h
> > > > @@ -252,7 +252,6 @@ int tpm1_pcr_read(struct tpm_chip *chip, u32 pcr_idx, u8 *res_buf);
> > > > ssize_t tpm1_getcap(struct tpm_chip *chip, u32 subcap_id, cap_t *cap,
> > > > const char *desc, size_t min_cap_length);
> > > > int tpm1_get_random(struct tpm_chip *chip, u8 *out, size_t max);
> > > > -int tpm1_get_pcr_allocation(struct tpm_chip *chip);
> > > > unsigned long tpm_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal);
> > > > int tpm_pm_suspend(struct device *dev);
> > > > int tpm_pm_resume(struct device *dev);
> > > > diff --git a/drivers/char/tpm/tpm1-cmd.c b/drivers/char/tpm/tpm1-cmd.c
> > > > index 11088bda4e68..708bc553437b 100644
> > > > --- a/drivers/char/tpm/tpm1-cmd.c
> > > > +++ b/drivers/char/tpm/tpm1-cmd.c
> > > > @@ -786,28 +786,3 @@ int tpm1_pm_suspend(struct tpm_chip *chip, u32 tpm_suspend_pcr)
> > > >
> > > > return rc;
> > > > }
> > > > -
> > > > -/**
> > > > - * tpm1_get_pcr_allocation() - initialize the allocated bank
> > > > - * @chip: TPM chip to use.
> > > > - *
> > > > - * The function initializes the SHA1 allocated bank to extend PCR
> > > > - *
> > > > - * Return:
> > > > - * * 0 on success,
> > > > - * * < 0 on error.
> > > > - */
> > > > -int tpm1_get_pcr_allocation(struct tpm_chip *chip)
> > > > -{
> > > > - chip->allocated_banks = kcalloc(1, sizeof(*chip->allocated_banks),
> > > > - GFP_KERNEL);
> > > > - if (!chip->allocated_banks)
> > > > - return -ENOMEM;
> > > > -
> > > > - chip->allocated_banks[0].alg_id = TPM_ALG_SHA1;
> > > > - chip->allocated_banks[0].digest_size = hash_digest_size[HASH_ALGO_SHA1];
> > > > - chip->allocated_banks[0].crypto_id = HASH_ALGO_SHA1;
> > > > - chip->nr_allocated_banks = 1;
> > > > -
> > > > - return 0;
> > > > -}
> > > > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> > > > index 7d77f6fbc152..97501c567c34 100644
> > > > --- a/drivers/char/tpm/tpm2-cmd.c
> > > > +++ b/drivers/char/tpm/tpm2-cmd.c
> > > > @@ -538,11 +538,9 @@ ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip)
> > > >
> > > > nr_possible_banks = be32_to_cpup(
> > > > (__be32 *)&buf.data[TPM_HEADER_SIZE + 5]);
> > > > -
> > > > - chip->allocated_banks = kcalloc(nr_possible_banks,
> > > > - sizeof(*chip->allocated_banks),
> > > > - GFP_KERNEL);
> > > > - if (!chip->allocated_banks) {
> > > > + if (nr_possible_banks > TPM2_MAX_PCR_BANKS) {
> > > > + pr_err("tpm: unexpected number of banks: %u > %u",
> > > > + nr_possible_banks, TPM2_MAX_PCR_BANKS);
> > > > rc = -ENOMEM;
> > > > goto out;
> > > > }
> > > > diff --git a/include/linux/tpm.h b/include/linux/tpm.h
> > > > index dc0338a783f3..eb0ff071bcae 100644
> > > > --- a/include/linux/tpm.h
> > > > +++ b/include/linux/tpm.h
> > > > @@ -26,7 +26,9 @@
> > > > #include <crypto/aes.h>
> > > >
> > > > #define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */
> > > > -#define TPM_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
> > > > +
> > > > +#define TPM2_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
> > > > +#define TPM2_MAX_PCR_BANKS 8
> > > >
> > > > struct tpm_chip;
> > > > struct trusted_key_payload;
> > > > @@ -68,7 +70,7 @@ enum tpm2_curves {
> > > >
> > > > struct tpm_digest {
> > > > u16 alg_id;
> > > > - u8 digest[TPM_MAX_DIGEST_SIZE];
> > > > + u8 digest[TPM2_MAX_DIGEST_SIZE];
> > > > } __packed;
> > > >
> > > > struct tpm_bank_info {
> > > > @@ -189,7 +191,7 @@ struct tpm_chip {
> > > > unsigned int groups_cnt;
> > > >
> > > > u32 nr_allocated_banks;
> > > > - struct tpm_bank_info *allocated_banks;
> > > > + struct tpm_bank_info allocated_banks[TPM2_MAX_PCR_BANKS];
> > > > #ifdef CONFIG_ACPI
> > > > acpi_handle acpi_dev_handle;
> > > > char ppi_version[TPM_PPI_VERSION_LEN + 1];
> > > > --
> > > > 2.52.0
> > > >
> > >
> > > Hi Jarkko Sakkinen,
> > >
> > > Greetings!
> > >
> > > I used Syzkaller and found that there is KASAN: invalid-free in tpm_dev_release in linux-tpmdd branch tpmdd-next-6.19-rc1-v3.
> > >
> > > After bisection and the first bad commit is:
> > > "
> > > 83f6ace27d21 tpm: Cap the number of PCR banks
> >
> > Thank you. I updated the patch in my branch:
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/commit/?id=bb731e948843a947b2b7e51552c1387e2c377e03
> >
> > Possible to re-test (I can add your tested-by afterwards)?
>
> I mean tested-by AND reported-by.
Duh. Only tested-by since the patch is not yet in mainline (sorry) :-)
BR, Jarkko
next prev parent reply other threads:[~2025-12-03 1:54 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-27 13:54 [PATCH v7 00/11] Prepare TPM driver for Trenchboot Jarkko Sakkinen
2025-11-27 13:54 ` [PATCH v7 01/11] tpm: Cap the number of PCR banks Jarkko Sakkinen
2025-11-27 16:09 ` Roberto Sassu
2025-11-27 17:14 ` Jarkko Sakkinen
2025-11-27 17:17 ` Roberto Sassu
2025-11-27 18:52 ` Jarkko Sakkinen
2025-11-28 9:21 ` Roberto Sassu
2025-11-28 15:10 ` Jarkko Sakkinen
2025-11-28 18:05 ` Jarkko Sakkinen
2025-12-03 0:57 ` Lai, Yi
2025-12-03 1:11 ` Jarkko Sakkinen
2025-12-03 1:26 ` Lai, Yi
2025-12-03 2:03 ` Jarkko Sakkinen
2025-12-03 1:54 ` Jarkko Sakkinen
2025-12-03 1:54 ` Jarkko Sakkinen [this message]
2025-11-27 13:54 ` [PATCH v7 02/11] tpm: Use -EPERM as fallback error code in tpm_ret_to_err Jarkko Sakkinen
2025-11-27 13:54 ` [PATCH v7 03/11] KEYS: trusted: remove redundant instance of tpm2_hash_map Jarkko Sakkinen
2025-11-27 17:45 ` Jonathan McDowell
2025-11-27 19:03 ` Jarkko Sakkinen
2025-11-27 13:54 ` [PATCH v7 04/11] KEYS: trusted: Fix memory leak in tpm2_load() Jarkko Sakkinen
2025-11-27 13:54 ` [PATCH v7 05/11] KEYS: trusted: Use tpm_ret_to_err() in trusted_tpm2 Jarkko Sakkinen
2025-11-27 13:54 ` [PATCH v7 06/11] tpm2-sessions: Remove 'attributes' from tpm_buf_append_auth Jarkko Sakkinen
2025-11-27 13:54 ` [PATCH v7 07/11] tpm2-sessions: Unmask tpm_buf_append_hmac_session() Jarkko Sakkinen
2025-11-27 13:54 ` [PATCH v7 08/11] KEYS: trusted: Open code tpm2_buf_append() Jarkko Sakkinen
2025-11-27 13:54 ` [PATCH v7 09/11] tpm-buf: unify TPM_BUF_BOUNDARY_ERROR and TPM_BUF_OVERFLOW Jarkko Sakkinen
2025-11-27 13:54 ` [PATCH v7 10/11] tpm-buf: Remove chip parameter from tpm_buf_append_handle Jarkko Sakkinen
2025-11-27 13:54 ` [PATCH v7 11/11] tpm-buf: Enable managed and stack allocations Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aS-YbihQhstOlpOg@kernel.org \
--to=jarkko@kernel.org \
--cc=jarkko.sakkinen@opinsys.com \
--cc=jgg@ziepe.ca \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=noodles@earth.li \
--cc=noodles@meta.com \
--cc=peterhuewe@gmx.de \
--cc=roberto.sassu@huawei.com \
--cc=ross.philipson@oracle.com \
--cc=sgarzare@redhat.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yi1.lai@intel.com \
--cc=yi1.lai@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.