From: Jarkko Sakkinen <jarkko@kernel.org>
To: Jonathan McDowell <noodles@earth.li>
Cc: linux-integrity@vger.kernel.org, Peter Huewe <peterhuewe@gmx.de>,
Jason Gunthorpe <jgg@ziepe.ca>,
open list <linux-kernel@vger.kernel.org>,
stable@vger.kernel.org,
James Bottomley <James.Bottomley@hansenpartnership.com>,
Ard Biesheuvel <ardb@kernel.org>
Subject: Re: [PATCH v3 2/4] tpm2-sessions: Fix tpm2_read_public range checks
Date: Thu, 4 Dec 2025 20:49:46 +0200 [thread overview]
Message-ID: <aTHXyjlI06n_7K2e@kernel.org> (raw)
In-Reply-To: <aTGmuhRCbHANjjzV@earth.li>
On Thu, Dec 04, 2025 at 03:20:26PM +0000, Jonathan McDowell wrote:
> On Thu, Dec 04, 2025 at 12:12:12AM +0200, Jarkko Sakkinen wrote:
> > 'tpm2_read_public' has some rudimentary range checks but the function
> > does not ensure that the response buffer has enough bytes for the full
> > TPMT_HA payload.
> >
> > Re-implement the function with necessary checks and validation.
> >
> > Cc: stable@vger.kernel.org # v6.10+
> > Fixes: d0a25bb961e6 ("tpm: Add HMAC session name/handle append")
> > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
>
> A minor nit about variable naming, but:
>
> Reviewed-by: Jonathan McDowell <noodles@meta.com>
>
> > v2:
> > - Made the fix localized instead of spread all over the place.
> > ---
> > drivers/char/tpm/tpm2-cmd.c | 3 ++
> > drivers/char/tpm/tpm2-sessions.c | 77 +++++++++++++++++---------------
> > 2 files changed, 44 insertions(+), 36 deletions(-)
> >
> > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> > index be4a9c7f2e1a..34e3599f094f 100644
> > --- a/drivers/char/tpm/tpm2-cmd.c
> > +++ b/drivers/char/tpm/tpm2-cmd.c
> > @@ -11,8 +11,11 @@
> > * used by the kernel internally.
> > */
> >
> > +#include "linux/dev_printk.h"
> > +#include "linux/tpm.h"
> > #include "tpm.h"
> > #include <crypto/hash_info.h>
> > +#include <linux/unaligned.h>
> >
> > static bool disable_pcr_integrity;
> > module_param(disable_pcr_integrity, bool, 0444);
> > diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c
> > index a265e9752a5e..e9f439be3916 100644
> > --- a/drivers/char/tpm/tpm2-sessions.c
> > +++ b/drivers/char/tpm/tpm2-sessions.c
> > @@ -163,54 +163,59 @@ static int name_size(const u8 *name)
> > }
> > }
> >
> > -static int tpm2_parse_read_public(char *name, struct tpm_buf *buf)
> > +static int tpm2_read_public(struct tpm_chip *chip, u32 handle, void *name)
> > {
> > - struct tpm_header *head = (struct tpm_header *)buf->data;
> > + u32 mso = tpm2_handle_mso(handle);
> > off_t offset = TPM_HEADER_SIZE;
> > - u32 tot_len = be32_to_cpu(head->length);
> > - int ret;
> > - u32 val;
> > -
> > - /* we're starting after the header so adjust the length */
> > - tot_len -= TPM_HEADER_SIZE;
> > -
> > - /* skip public */
> > - val = tpm_buf_read_u16(buf, &offset);
> > - if (val > tot_len)
> > - return -EINVAL;
> > - offset += val;
> > - /* name */
> > -
> > - val = tpm_buf_read_u16(buf, &offset);
> > - ret = name_size(&buf->data[offset]);
> > - if (ret < 0)
> > - return ret;
> > + struct tpm_buf buf;
> > + int rc, rc2;
> >
> > - if (val != ret)
> > + if (mso != TPM2_MSO_PERSISTENT && mso != TPM2_MSO_VOLATILE &&
> > + mso != TPM2_MSO_NVRAM)
> > return -EINVAL;
> >
> > - memcpy(name, &buf->data[offset], val);
> > - /* forget the rest */
> > - return 0;
> > -}
> > -
> > -static int tpm2_read_public(struct tpm_chip *chip, u32 handle, char *name)
> > -{
> > - struct tpm_buf buf;
> > - int rc;
> > -
> > rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_READ_PUBLIC);
> > if (rc)
> > return rc;
> >
> > tpm_buf_append_u32(&buf, handle);
> > - rc = tpm_transmit_cmd(chip, &buf, 0, "read public");
> > - if (rc == TPM2_RC_SUCCESS)
> > - rc = tpm2_parse_read_public(name, &buf);
> >
> > - tpm_buf_destroy(&buf);
> > + rc = tpm_transmit_cmd(chip, &buf, 0, "TPM2_ReadPublic");
> > + if (rc) {
> > + tpm_buf_destroy(&buf);
> > + return tpm_ret_to_err(rc);
> > + }
> >
> > - return rc;
> > + /* Skip TPMT_PUBLIC: */
> > + offset += tpm_buf_read_u16(&buf, &offset);
> > +
> > + /*
> > + * Ensure space for the length field of TPM2B_NAME and hashAlg field of
> > + * TPMT_HA (the extra four bytes).
> > + */
> > + if (offset + 4 > tpm_buf_length(&buf)) {
> > + tpm_buf_destroy(&buf);
> > + return -EIO;
> > + }
> > +
> > + rc = tpm_buf_read_u16(&buf, &offset);
> > + rc2 = name_size(&buf.data[offset]);
>
> rc2 is not great naming. We only use it for this, so perhaps name_len?
I'll rename it as 'name_size_alg' for the sake of clarity. It is TPM
name size mapped from algorithm ID. That should make the means and
purpose dead obvious.
BR, Jarkko
next prev parent reply other threads:[~2025-12-04 18:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-03 22:12 [PATCH v3 0/4] tpm2-sessions: Fixes for v6.19-rc2 Jarkko Sakkinen
2025-12-03 22:12 ` [PATCH v3 1/4] tpm2-sessions: fix out of range indexing in name_size Jarkko Sakkinen
2025-12-04 15:11 ` Jonathan McDowell
2025-12-04 18:47 ` Jarkko Sakkinen
2025-12-03 22:12 ` [PATCH v3 2/4] tpm2-sessions: Fix tpm2_read_public range checks Jarkko Sakkinen
2025-12-04 15:20 ` Jonathan McDowell
2025-12-04 18:49 ` Jarkko Sakkinen [this message]
2025-12-03 22:12 ` [PATCH v3 3/4] tpm2-sessions: Remove 'attributes' parameter from tpm_buf_append_auth Jarkko Sakkinen
2025-12-03 22:12 ` [PATCH v3 4/4] tpm2-sessions: Open code tpm_buf_append_hmac_session() Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aTHXyjlI06n_7K2e@kernel.org \
--to=jarkko@kernel.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=ardb@kernel.org \
--cc=jgg@ziepe.ca \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=noodles@earth.li \
--cc=peterhuewe@gmx.de \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox