From patchwork Wed Mar 29 07:43:30 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vandrovec X-Patchwork-Id: 744652 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.sourceforge.net (lists.sourceforge.net [216.34.181.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3vtKs61Vh7z9ryj for ; Wed, 29 Mar 2017 18:58:50 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=sfs-ml-2.v29.ch3.sourceforge.com) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1ct8VB-00061v-GT; Wed, 29 Mar 2017 07:58:45 +0000 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1ct8VA-00061k-AU for tpmdd-devel@lists.sourceforge.net; Wed, 29 Mar 2017 07:58:44 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of vmware.com designates 208.91.0.190 as permitted sender) client-ip=208.91.0.190; envelope-from=petr@vmware.com; helo=EX13-EDG-OU-002.vmware.com; Received: from ex13-edg-ou-002.vmware.com ([208.91.0.190]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) id 1ct8V9-0007oP-Fn for tpmdd-devel@lists.sourceforge.net; Wed, 29 Mar 2017 07:58:44 +0000 Received: from sc9-mailhost2.vmware.com (10.113.161.72) by EX13-EDG-OU-002.vmware.com (10.113.208.156) with Microsoft SMTP Server id 15.0.1156.6; Wed, 29 Mar 2017 00:42:43 -0700 Received: from petr-dev3.eng.vmware.com (petr-dev2.eng.vmware.com [10.20.93.186]) by sc9-mailhost2.vmware.com (Postfix) with ESMTP id 97502B0649; Wed, 29 Mar 2017 00:43:30 -0700 (PDT) Received: by petr-dev3.eng.vmware.com (Postfix, from userid 884) id 91706A00211; Wed, 29 Mar 2017 00:43:30 -0700 (PDT) Date: Wed, 29 Mar 2017 00:43:30 -0700 From: Petr Vandrovec To: Peter Huewe Message-ID: <20170329074330.b2rbsbt2zc7o22q7@petr-dev3.eng.vmware.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: NeoMutt/20170306 (1.8.0) Received-SPF: None (EX13-EDG-OU-002.vmware.com: petr@vmware.com does not designate permitted sender hosts) X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [208.91.0.190 listed in list.dnswl.org] -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain X-Headers-End: 1ct8V9-0007oP-Fn Cc: tpmdd-devel@lists.sourceforge.net Subject: [tpmdd-devel] [PATCH 4/4] Improve handling of TPM2 event logs X-BeenThere: tpmdd-devel@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Tpm Device Driver maintainance List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tpmdd-devel-bounces@lists.sourceforge.net From: Petr Vandrovec When TPM2 log has entries with more than 3 digests, or with digests not listed in the log header, log gets misparsed, eventually leading to kernel complaint that code tried to vmalloc 512MB of memory (I have no idea what would happen on bigger system). So code should not parse only first 3 digests: both event header and event itself are already in memory, so we can parse any number of digests, as long as we do not try to parse whole memory when given count of 0xFFFFFFFF. So this change: * Rejects event entry with more digests than log header describes. Digest types should be unique, and all should be described in log header, so there cannot be more digests in the event than in the header. * Reject event entry with digest that is not described in the log header. In theory code could hardcode information about digest IDs already assigned by TCG, but if firmware authors cannot get event log format right, why should anyone believe that they got event log content right. Signed-off-by: Petr Vandrovec --- drivers/char/tpm/tpm2_eventlog.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/char/tpm/tpm2_eventlog.c b/drivers/char/tpm/tpm2_eventlog.c index 513897cf9c4b..6fe59b75152b 100644 --- a/drivers/char/tpm/tpm2_eventlog.c +++ b/drivers/char/tpm/tpm2_eventlog.c @@ -56,18 +56,23 @@ static int calc_tpm2_event_size(struct tcg_pcr_event2 *event, efispecid = (struct tcg_efi_specid_event *)event_header->event; - for (i = 0; (i < event->count) && (i < TPM2_ACTIVE_PCR_BANKS); - i++) { + /* Check if event is malformed. */ + if (event->count > efispecid->num_algs) + return 0; + + for (i = 0; i < event->count; i++) { halg_size = sizeof(event->digests[i].alg_id); memcpy(&halg, marker, halg_size); marker = marker + halg_size; - for (j = 0; (j < efispecid->num_algs); j++) { + for (j = 0; j < efispecid->num_algs; j++) { if (halg == efispecid->digest_sizes[j].alg_id) { - marker = marker + - efispecid->digest_sizes[j].digest_size; + marker += efispecid->digest_sizes[j].digest_size; break; } } + /* Algorithm without known length. Such event is unparseable. */ + if (j == efispecid->num_algs) + return 0; } event_field = (struct tcg_event_field *)marker;