From: Jarkko Sakkinen <jarkko@kernel.org>
To: Jonathan McDowell <noodles@earth.li>
Cc: linux-integrity@vger.kernel.org, Peter Huewe <peterhuewe@gmx.de>,
Jason Gunthorpe <jgg@ziepe.ca>,
open list <linux-kernel@vger.kernel.org>,
stable@vger.kernel.org,
James Bottomley <James.Bottomley@hansenpartnership.com>,
Mimi Zohar <zohar@linux.ibm.com>,
David Howells <dhowells@redhat.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Ard Biesheuvel <ardb@kernel.org>,
"open list:KEYS-TRUSTED" <keyrings@vger.kernel.org>,
"open list:SECURITY SUBSYSTEM"
<linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v3 1/4] tpm2-sessions: fix out of range indexing in name_size
Date: Thu, 4 Dec 2025 20:47:34 +0200 [thread overview]
Message-ID: <aTHXRuvbUkCiQQAL@kernel.org> (raw)
In-Reply-To: <aTGkno0fzQMHXc7X@earth.li>
On Thu, Dec 04, 2025 at 03:11:26PM +0000, Jonathan McDowell wrote:
> On Thu, Dec 04, 2025 at 12:12:11AM +0200, Jarkko Sakkinen wrote:
> > 'name_size' does not have any range checks, and it just directly indexes
> > with TPM_ALG_ID, which could lead into memory corruption at worst.
> >
> > Address the issue by only processing known values and returning -EINVAL for
> > unrecognized values.
> >
> > Make also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so
> > that errors are detected before causing any spurious TPM traffic.
> >
> > End also the authorization session on failure in both of the functions, as
> > the session state would be then by definition corrupted.
> >
> > Cc: stable@vger.kernel.org # v6.10+
> > Fixes: 1085b8276bb4 ("tpm: Add the rest of the session HMAC API")
> > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
>
> A minor whitespace query below, but:
>
> Reviewed-by: Jonathan McDowell <noodles@meta.com>
Thanks. I updated the commit and removed the extra whitespace.
BR, Jarkko
next prev parent reply other threads:[~2025-12-04 18:47 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-03 22:12 [PATCH v3 0/4] tpm2-sessions: Fixes for v6.19-rc2 Jarkko Sakkinen
2025-12-03 22:12 ` [PATCH v3 1/4] tpm2-sessions: fix out of range indexing in name_size Jarkko Sakkinen
2025-12-04 15:11 ` Jonathan McDowell
2025-12-04 18:47 ` Jarkko Sakkinen [this message]
2025-12-03 22:12 ` [PATCH v3 2/4] tpm2-sessions: Fix tpm2_read_public range checks Jarkko Sakkinen
2025-12-04 15:20 ` Jonathan McDowell
2025-12-04 18:49 ` Jarkko Sakkinen
2025-12-03 22:12 ` [PATCH v3 3/4] tpm2-sessions: Remove 'attributes' parameter from tpm_buf_append_auth Jarkko Sakkinen
2025-12-03 22:12 ` [PATCH v3 4/4] tpm2-sessions: Open code tpm_buf_append_hmac_session() Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aTHXRuvbUkCiQQAL@kernel.org \
--to=jarkko@kernel.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=ardb@kernel.org \
--cc=dhowells@redhat.com \
--cc=jgg@ziepe.ca \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=noodles@earth.li \
--cc=paul@paul-moore.com \
--cc=peterhuewe@gmx.de \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.