* [PATCH 0/3] Fixes for v4.4-rc1
@ 2015-11-05 10:20 Jarkko Sakkinen
2015-11-05 10:20 ` [PATCH 1/3] TPM: Avoid reference to potentially freed memory Jarkko Sakkinen
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Jarkko Sakkinen @ 2015-11-05 10:20 UTC (permalink / raw)
To: Peter Huewe, Marcel Selhorst
Cc: Mimi Zohar, Jarkko Sakkinen, Jason Gunthorpe, open list,
moderated list:TPM DEVICE DRIVER
Critical bug fixes for v4.4-rc1.
Christophe JAILLET (1):
TPM: Avoid reference to potentially freed memory
Jarkko Sakkinen (2):
TPM: revert the list handling logic fixed in 398a1e7
tpm: fix missing migratable flag in sealing functionality for TPM2
drivers/char/tpm/tpm-chip.c | 2 +-
drivers/char/tpm/tpm2-cmd.c | 15 ++++++++++-----
drivers/char/tpm/tpm_of.c | 3 ++-
3 files changed, 13 insertions(+), 7 deletions(-)
--
2.5.0
^ permalink raw reply [flat|nested] 5+ messages in thread* [PATCH 1/3] TPM: Avoid reference to potentially freed memory 2015-11-05 10:20 [PATCH 0/3] Fixes for v4.4-rc1 Jarkko Sakkinen @ 2015-11-05 10:20 ` Jarkko Sakkinen 2015-11-05 10:20 ` [PATCH 2/3] TPM: revert the list handling logic fixed in 398a1e7 Jarkko Sakkinen 2015-11-05 10:20 ` [PATCH 3/3] tpm: fix missing migratable flag in sealing functionality for TPM2 Jarkko Sakkinen 2 siblings, 0 replies; 5+ messages in thread From: Jarkko Sakkinen @ 2015-11-05 10:20 UTC (permalink / raw) To: Peter Huewe, Marcel Selhorst Cc: Mimi Zohar, Christophe JAILLET, Jarkko Sakkinen, Jason Gunthorpe, moderated list:TPM DEVICE DRIVER, open list From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Reference to the 'np' node is dropped before dereferencing the 'sizep' and 'basep' pointers, which could by then point to junk if the node has been freed. Refactor code to call 'of_node_put' later. Fixes: c5df39262dd5 ("drivers/char/tpm: Add securityfs support for event log") Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> --- drivers/char/tpm/tpm_of.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm_of.c b/drivers/char/tpm/tpm_of.c index 1141456..570f30c 100644 --- a/drivers/char/tpm/tpm_of.c +++ b/drivers/char/tpm/tpm_of.c @@ -53,17 +53,18 @@ int read_log(struct tpm_bios_log *log) goto cleanup_eio; } - of_node_put(np); log->bios_event_log = kmalloc(*sizep, GFP_KERNEL); if (!log->bios_event_log) { pr_err("%s: ERROR - Not enough memory for BIOS measurements\n", __func__); + of_node_put(np); return -ENOMEM; } log->bios_event_log_end = log->bios_event_log + *sizep; memcpy(log->bios_event_log, __va(*basep), *sizep); + of_node_put(np); return 0; -- 2.5.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/3] TPM: revert the list handling logic fixed in 398a1e7 2015-11-05 10:20 [PATCH 0/3] Fixes for v4.4-rc1 Jarkko Sakkinen 2015-11-05 10:20 ` [PATCH 1/3] TPM: Avoid reference to potentially freed memory Jarkko Sakkinen @ 2015-11-05 10:20 ` Jarkko Sakkinen 2015-11-05 10:20 ` [PATCH 3/3] tpm: fix missing migratable flag in sealing functionality for TPM2 Jarkko Sakkinen 2 siblings, 0 replies; 5+ messages in thread From: Jarkko Sakkinen @ 2015-11-05 10:20 UTC (permalink / raw) To: Peter Huewe, Marcel Selhorst Cc: Mimi Zohar, Jarkko Sakkinen, Jason Gunthorpe, moderated list:TPM DEVICE DRIVER, open list Mimi reported that afb5abc reverts the fix in 398a1e7. This patch reverts it back. Fixes: afb5abc262e9 ("tpm: two-phase chip management functions") Reported-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> --- drivers/char/tpm/tpm-chip.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index f26b0ae..a5cdce7 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -236,7 +236,7 @@ int tpm_chip_register(struct tpm_chip *chip) /* Make the chip available. */ spin_lock(&driver_lock); - list_add_rcu(&chip->list, &tpm_chip_list); + list_add_tail_rcu(&chip->list, &tpm_chip_list); spin_unlock(&driver_lock); chip->flags |= TPM_CHIP_FLAG_REGISTERED; -- 2.5.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/3] tpm: fix missing migratable flag in sealing functionality for TPM2 2015-11-05 10:20 [PATCH 0/3] Fixes for v4.4-rc1 Jarkko Sakkinen 2015-11-05 10:20 ` [PATCH 1/3] TPM: Avoid reference to potentially freed memory Jarkko Sakkinen 2015-11-05 10:20 ` [PATCH 2/3] TPM: revert the list handling logic fixed in 398a1e7 Jarkko Sakkinen @ 2015-11-05 10:20 ` Jarkko Sakkinen 2015-11-09 9:51 ` Jarkko Sakkinen 2 siblings, 1 reply; 5+ messages in thread From: Jarkko Sakkinen @ 2015-11-05 10:20 UTC (permalink / raw) To: Peter Huewe, Marcel Selhorst Cc: Mimi Zohar, Jarkko Sakkinen, Jason Gunthorpe, moderated list:TPM DEVICE DRIVER, open list The 'migratable' flag was not added to the key payload. This patch fixes the problem. Fixes: 0fe5480303a1 ("keys, trusted: seal/unseal with TPM 2.0 chips") Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> --- drivers/char/tpm/tpm2-cmd.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index bd7039f..c121304 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -443,12 +443,13 @@ int tpm2_seal_trusted(struct tpm_chip *chip, TPM_DIGEST_SIZE); /* sensitive */ - tpm_buf_append_u16(&buf, 4 + TPM_DIGEST_SIZE + payload->key_len); + tpm_buf_append_u16(&buf, 4 + TPM_DIGEST_SIZE + payload->key_len + 1); tpm_buf_append_u16(&buf, TPM_DIGEST_SIZE); tpm_buf_append(&buf, options->blobauth, TPM_DIGEST_SIZE); - tpm_buf_append_u16(&buf, payload->key_len); + tpm_buf_append_u16(&buf, payload->key_len + 1); tpm_buf_append(&buf, payload->key, payload->key_len); + tpm_buf_append_u8(&buf, payload->migratable); /* public */ tpm_buf_append_u16(&buf, 14); @@ -573,6 +574,8 @@ static int tpm2_unseal(struct tpm_chip *chip, u32 blob_handle) { struct tpm_buf buf; + u16 data_len; + u8 *data; int rc; rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_UNSEAL); @@ -591,11 +594,13 @@ static int tpm2_unseal(struct tpm_chip *chip, rc = -EPERM; if (!rc) { - payload->key_len = be16_to_cpup( + data_len = be16_to_cpup( (__be16 *) &buf.data[TPM_HEADER_SIZE + 4]); + data = &buf.data[TPM_HEADER_SIZE + 6]; - memcpy(payload->key, &buf.data[TPM_HEADER_SIZE + 6], - payload->key_len); + memcpy(payload->key, data, data_len - 1); + payload->key_len = data_len - 1; + payload->migratable = data[data_len - 1]; } tpm_buf_destroy(&buf); -- 2.5.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 3/3] tpm: fix missing migratable flag in sealing functionality for TPM2 2015-11-05 10:20 ` [PATCH 3/3] tpm: fix missing migratable flag in sealing functionality for TPM2 Jarkko Sakkinen @ 2015-11-09 9:51 ` Jarkko Sakkinen 0 siblings, 0 replies; 5+ messages in thread From: Jarkko Sakkinen @ 2015-11-09 9:51 UTC (permalink / raw) To: Peter Huewe, Marcel Selhorst Cc: Mimi Zohar, Jason Gunthorpe, moderated list:TPM DEVICE DRIVER, open list, linux-security-module Hi Other fixes are ready for the pull request but for this patch peer check might be useful. I'm anyway sending the pull request with the five pull patches over here even if I don't get 'Tested-by:': https://github.com/jsakkine/linux-tpmdd/commits/fixes I've tested this patch with fTPM and dTPM and it does not have any side-effects to TPM 1.2. /Jarkko On Thu, Nov 05, 2015 at 12:20:23PM +0200, Jarkko Sakkinen wrote: > The 'migratable' flag was not added to the key payload. This patch > fixes the problem. > > Fixes: 0fe5480303a1 ("keys, trusted: seal/unseal with TPM 2.0 chips") > Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> > --- > drivers/char/tpm/tpm2-cmd.c | 15 ++++++++++----- > 1 file changed, 10 insertions(+), 5 deletions(-) > > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c > index bd7039f..c121304 100644 > --- a/drivers/char/tpm/tpm2-cmd.c > +++ b/drivers/char/tpm/tpm2-cmd.c > @@ -443,12 +443,13 @@ int tpm2_seal_trusted(struct tpm_chip *chip, > TPM_DIGEST_SIZE); > > /* sensitive */ > - tpm_buf_append_u16(&buf, 4 + TPM_DIGEST_SIZE + payload->key_len); > + tpm_buf_append_u16(&buf, 4 + TPM_DIGEST_SIZE + payload->key_len + 1); > > tpm_buf_append_u16(&buf, TPM_DIGEST_SIZE); > tpm_buf_append(&buf, options->blobauth, TPM_DIGEST_SIZE); > - tpm_buf_append_u16(&buf, payload->key_len); > + tpm_buf_append_u16(&buf, payload->key_len + 1); > tpm_buf_append(&buf, payload->key, payload->key_len); > + tpm_buf_append_u8(&buf, payload->migratable); > > /* public */ > tpm_buf_append_u16(&buf, 14); > @@ -573,6 +574,8 @@ static int tpm2_unseal(struct tpm_chip *chip, > u32 blob_handle) > { > struct tpm_buf buf; > + u16 data_len; > + u8 *data; > int rc; > > rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_UNSEAL); > @@ -591,11 +594,13 @@ static int tpm2_unseal(struct tpm_chip *chip, > rc = -EPERM; > > if (!rc) { > - payload->key_len = be16_to_cpup( > + data_len = be16_to_cpup( > (__be16 *) &buf.data[TPM_HEADER_SIZE + 4]); > + data = &buf.data[TPM_HEADER_SIZE + 6]; > > - memcpy(payload->key, &buf.data[TPM_HEADER_SIZE + 6], > - payload->key_len); > + memcpy(payload->key, data, data_len - 1); > + payload->key_len = data_len - 1; > + payload->migratable = data[data_len - 1]; > } > > tpm_buf_destroy(&buf); > -- > 2.5.0 > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-11-09 9:51 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-11-05 10:20 [PATCH 0/3] Fixes for v4.4-rc1 Jarkko Sakkinen 2015-11-05 10:20 ` [PATCH 1/3] TPM: Avoid reference to potentially freed memory Jarkko Sakkinen 2015-11-05 10:20 ` [PATCH 2/3] TPM: revert the list handling logic fixed in 398a1e7 Jarkko Sakkinen 2015-11-05 10:20 ` [PATCH 3/3] tpm: fix missing migratable flag in sealing functionality for TPM2 Jarkko Sakkinen 2015-11-09 9:51 ` Jarkko Sakkinen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox