linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "Jarkko Sakkinen" <jarkko@kernel.org>,
	"Herbert Xu" <herbert@gondor.apana.org.au>,
	"Linux Crypto Mailing List" <linux-crypto@vger.kernel.org>,
	"Guangwu Zhang" <guazhang@redhat.com>
Cc: "Peter Huewe" <peterhuewe@gmx.de>,
	"Jason Gunthorpe" <jgg@ziepe.ca>,
	<linux-integrity@vger.kernel.org>
Subject: Re: [PATCH] hwrng: core - Add WARN_ON for buggy read return values
Date: Mon, 23 Sep 2024 11:07:13 +0300	[thread overview]
Message-ID: <D4DICMSZJXCG.8X4SU03FPJ4X@kernel.org> (raw)
In-Reply-To: <D4DI1M1ELFXK.2COGZN6O5HABD@kernel.org>

On Mon Sep 23, 2024 at 10:52 AM EEST, Jarkko Sakkinen wrote:
> On Mon Sep 23, 2024 at 9:05 AM EEST, Herbert Xu wrote:
> > Dear TPM maintainers:
>
> There's really only just me (for past 10 years). Maybe that should be
> updatred.
>
> >
> > Please have a look at the tpm hwrng driver because it appears to
> > be returning a length longer than the buffer length that we gave
> > it.  In particular, tpm2 appears to be the culprit (though I didn't
> > really check tpm1 at all so it could also be buggy).
> >
> > The following patch hopefully should confirm that this is indeed
> > caused by TPM and not some other HWRNG driver.
>
>
>
>
> >
> > ---8<---
> > If a buggy driver returns a length that is longer than the size
> > of the buffer provided to it, then this may lead to a buffer overread
> > in the caller.
> >
> > Stop this by adding a check for it in the hwrng core.
> >
> > Reported-by: Guangwu Zhang <guazhang@redhat.com>
> > Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> >
> > diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c
> > index 57c51efa5613..018316f54621 100644
> > --- a/drivers/char/hw_random/core.c
> > +++ b/drivers/char/hw_random/core.c
> > @@ -181,8 +181,15 @@ static inline int rng_get_data(struct hwrng *rng, u8 *buffer, size_t size,
> >  	int present;
> >  
> >  	BUG_ON(!mutex_is_locked(&reading_mutex));
> > -	if (rng->read)
> > -		return rng->read(rng, (void *)buffer, size, wait);
> > +	if (rng->read) {
> > +		int err;
> > +
> > +		err = rng->read(rng, buffer, size, wait);
> > +		if (WARN_ON_ONCE(err > 0 && err > size))
>
> Are you sure you want to use WARN_ON_ONCE here instead of
> pr_warn_once()? I.e. is it worth of taking down the whole
> kernel?

I looked at tpm2_get_random() and it is pretty inefficient (not same
as saying it has a bug). I'd love to reimplement it.

We would be better of it would pull random let's say with 256 byte
or 512 byte chunks and cache that internal to tpm_chip. Then the
requests would be served from that pre-fetched pool and not do
round-trip to TPM every single time.

This would improve overall kernel performance given the reduced
number of wait states. I wonder if anyone knows what would be a
good fetch size that will work on most TPM2 chips?

BR, Jarkko

  reply	other threads:[~2024-09-23  8:07 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-23  6:05 [PATCH] hwrng: core - Add WARN_ON for buggy read return values Herbert Xu
2024-09-23  7:52 ` Jarkko Sakkinen
2024-09-23  8:07   ` Jarkko Sakkinen [this message]
2024-09-23  8:09     ` Jarkko Sakkinen
2024-09-23  9:26   ` Herbert Xu
2024-09-23 14:31     ` Jarkko Sakkinen
2024-09-23 14:36       ` Jarkko Sakkinen
2024-09-23 14:48       ` Greg KH
2024-09-23 20:46         ` Jarkko Sakkinen
2024-09-23 22:32         ` Herbert Xu
2024-09-24 16:05           ` Jarkko Sakkinen
2024-09-24 17:43             ` Jarkko Sakkinen
2024-09-27  0:42               ` Herbert Xu
2024-10-07 23:28                 ` Jarkko Sakkinen
2025-04-07  5:19                   ` Herbert Xu
2025-04-07  6:26                     ` [PATCH] tpm: Mask TPM RC in tpm2_start_auth_session() Jarkko Sakkinen
2025-04-07  7:17                       ` [PATCH v2] " Jarkko Sakkinen
2025-04-07  7:20                         ` [PATCH v3] " Jarkko Sakkinen
2025-04-07  8:04                           ` Stefano Garzarella
2025-04-07 11:30                             ` Jarkko Sakkinen
2025-04-07 13:20                               ` Stefano Garzarella
2025-04-07 12:28                           ` [PATCH v4] " Jarkko Sakkinen
2025-04-07 12:32                             ` Jarkko Sakkinen
2025-04-07 13:51                             ` Stefano Garzarella
2025-04-07 18:13                               ` Jarkko Sakkinen
2025-04-08 16:03                                 ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=D4DICMSZJXCG.8X4SU03FPJ4X@kernel.org \
    --to=jarkko@kernel.org \
    --cc=guazhang@redhat.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=jgg@ziepe.ca \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=peterhuewe@gmx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).