From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "Jarkko Sakkinen" <jarkko@kernel.org>,
"Herbert Xu" <herbert@gondor.apana.org.au>
Cc: "Linux Crypto Mailing List" <linux-crypto@vger.kernel.org>,
"Guangwu Zhang" <guazhang@redhat.com>,
"Peter Huewe" <peterhuewe@gmx.de>,
"Jason Gunthorpe" <jgg@ziepe.ca>,
<linux-integrity@vger.kernel.org>,
"James Bottomley" <James.Bottomley@hansenpartnership.com>
Subject: Re: [PATCH] hwrng: core - Add WARN_ON for buggy read return values
Date: Tue, 24 Sep 2024 20:43:00 +0300 [thread overview]
Message-ID: <D4EP817NLQY9.35RSWO8IFXRL0@kernel.org> (raw)
In-Reply-To: <D4EN54C1IK1R.11JD66L931PD8@kernel.org>
On Tue Sep 24, 2024 at 7:05 PM EEST, Jarkko Sakkinen wrote:
> On Tue Sep 24, 2024 at 1:32 AM EEST, Herbert Xu wrote:
> > On Mon, Sep 23, 2024 at 04:48:27PM +0200, Greg KH wrote:
> > >
> > > Please see:
> > > https://www.kernel.org/doc/html/latest/process/deprecated.html#bug-and-bug-on
> > > which describes that. We should make it more explicit that any WARN()
> > > or WARN_ON() calls that can be hit by user interactions somehow, will
> > > end up getting a CVE id when we fix it up to not do so.
> >
> > If the aformentioned WARN_ON hits, then the driver has probabaly
> > already done a buffer overrun so it's a CVE anyway.
>
> We'll see I finally got into testing this. Sorry for latencies, I'm
> switching jobs and unfortunately German Post Office lost my priority
> mail containing contracts (sent them from Finland to Berlin) so have
> been signing, scanning etc. the whole day :-) My last week in the
> current job, and next week is the first in the new job, so this
> week is a bit bumpy.
I get nothing with this:
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index aba024cbe7c5..856a8356d971 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -341,12 +341,15 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
dest_ptr += recd;
total += recd;
+
+ WARN_ON(num_bytes < recd);
num_bytes -= recd;
} while (retries-- && total < max);
tpm_buf_destroy(&buf);
tpm2_end_auth_session(chip);
+ WARN_ON(total > max);
return total ? total : -EIO;
out:
tpm_buf_destroy(&buf);
[WARN_ON()'s here are only for the temporary diff]
Call stack:
1. tpm2_get_random():
https://elixir.bootlin.com/linux/v6.11-rc7/source/drivers/char/tpm/tpm2-cmd.c#L281
2. tpm_get_random():
https://elixir.bootlin.com/linux/v6.11-rc7/source/drivers/char/tpm/tpm-interface.c#L430
3. tpm_hwrng_read():
https://elixir.bootlin.com/linux/v6.11-rc7/source/drivers/char/tpm/tpm-chip.c#L524
Everything seems to have also appropriate range checks.
Without any traces that would provide more information I don't see
the smoking gun.
BR, Jarkko
next prev parent reply other threads:[~2024-09-24 17:43 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-23 6:05 [PATCH] hwrng: core - Add WARN_ON for buggy read return values Herbert Xu
2024-09-23 7:52 ` Jarkko Sakkinen
2024-09-23 8:07 ` Jarkko Sakkinen
2024-09-23 8:09 ` Jarkko Sakkinen
2024-09-23 9:26 ` Herbert Xu
2024-09-23 14:31 ` Jarkko Sakkinen
2024-09-23 14:36 ` Jarkko Sakkinen
2024-09-23 14:48 ` Greg KH
2024-09-23 20:46 ` Jarkko Sakkinen
2024-09-23 22:32 ` Herbert Xu
2024-09-24 16:05 ` Jarkko Sakkinen
2024-09-24 17:43 ` Jarkko Sakkinen [this message]
2024-09-27 0:42 ` Herbert Xu
2024-10-07 23:28 ` Jarkko Sakkinen
2025-04-07 5:19 ` Herbert Xu
2025-04-07 6:26 ` [PATCH] tpm: Mask TPM RC in tpm2_start_auth_session() Jarkko Sakkinen
2025-04-07 7:17 ` [PATCH v2] " Jarkko Sakkinen
2025-04-07 7:20 ` [PATCH v3] " Jarkko Sakkinen
2025-04-07 8:04 ` Stefano Garzarella
2025-04-07 11:30 ` Jarkko Sakkinen
2025-04-07 13:20 ` Stefano Garzarella
2025-04-07 12:28 ` [PATCH v4] " Jarkko Sakkinen
2025-04-07 12:32 ` Jarkko Sakkinen
2025-04-07 13:51 ` Stefano Garzarella
2025-04-07 18:13 ` Jarkko Sakkinen
2025-04-08 16:03 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D4EP817NLQY9.35RSWO8IFXRL0@kernel.org \
--to=jarkko@kernel.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=guazhang@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=jgg@ziepe.ca \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=peterhuewe@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).