From patchwork Sat Sep 28 15:46:56 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1168857 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46gY276Rmhz9sPK; Sun, 29 Sep 2019 01:47:11 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1iEEw4-0000Nw-Sq; Sat, 28 Sep 2019 15:47:04 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iEEw2-0000MM-SP for kernel-team@lists.ubuntu.com; Sat, 28 Sep 2019 15:47:02 +0000 Received: from mail-io1-f70.google.com ([209.85.166.70]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iEEw2-0005mi-Jp for kernel-team@lists.ubuntu.com; Sat, 28 Sep 2019 15:47:02 +0000 Received: by mail-io1-f70.google.com with SMTP id w1so19469739ioj.9 for ; Sat, 28 Sep 2019 08:47:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=N9Wz1ZXm1pv1/FVlF0GYnojVUEk+5KnM2XXOcUMWJqQ=; b=kZVAr6HIudMHEc2s0opJYaqh7HzvTMN2ZaCjZfX6KCwAEVLGhNwW5E8Lll7c6pEnKl 1LRRa0nKfD61cPRK40jHW2lsm4Gcoej2frPDgEXGeAjsmFoMa/BFb02m1HOSRdEEi4VF b3p6WhjAb5xZv124QOZsC3GeFiJZ1J+D+XufZxqCvZKuqPmvVxLAVsNXgNsZRq/v1Goo EVxjPyIf5g9imqlpQ++iUpNbgNhxCDW21Q5AyMTccHDUHRz+VN21OAzcyepNxiE/coUd lHDGK+S2jbvM1KKA2pS8+IjRgSa4R5ZU7HOwWg877tWIo1D0yfi9mj6N7mCTBVtpFV/h BjCw== X-Gm-Message-State: APjAAAUAyWLbB3/EBjQnbkdxzEw6FDp/D3Y6/vGFBBJrSoNPhQeusTjN s7MA2T3xW3mLg0PA5+wPrTQV554OCAnEQfinCFtuYhMxLQ5GIMAePKhCaP7r8QD4EPH9RwZaMhg R7O7AR85HC+niY5vNDzUVlxcJ70ZYoyG443XpE4+4Jw== X-Received: by 2002:a92:3b09:: with SMTP id i9mr11615399ila.301.1569685621481; Sat, 28 Sep 2019 08:47:01 -0700 (PDT) X-Google-Smtp-Source: APXvYqy3Hcl/VpaumiA1cd4P/HtGW0NMZmYyCSKDs/UmFv1cs2LBwl0PPsY107rnbQ9u2IGnXdUTbw== X-Received: by 2002:a92:3b09:: with SMTP id i9mr11615356ila.301.1569685620997; Sat, 28 Sep 2019 08:47:00 -0700 (PDT) Received: from localhost ([2605:a601:ac3:9720:4dd1:efb0:71b2:398e]) by smtp.gmail.com with ESMTPSA id v70sm2952321ilk.58.2019.09.28.08.47.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Sep 2019 08:47:00 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/3][SRU][E] efi/tpm: Don't access event->count when it isn't mapped. Date: Sat, 28 Sep 2019 10:46:56 -0500 Message-Id: <20190928154658.12957-2-seth.forshee@canonical.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190928154658.12957-1-seth.forshee@canonical.com> References: <20190928154658.12957-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Peter Jones BugLink: https://bugs.launchpad.net/bugs/1845454 Some machines generate a lot of event log entries. When we're iterating over them, the code removes the old mapping and adds a new one, so once we cross the page boundary we're unmapping the page with the count on it. Hilarity ensues. This patch keeps the info from the header in local variables so we don't need to access that page again or keep track of if it's mapped. Fixes: 44038bc514a2 ("tpm: Abstract crypto agile event size calculations") Cc: linux-efi@vger.kernel.org Cc: linux-integrity@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Peter Jones Tested-by: Lyude Paul Reviewed-by: Jarkko Sakkinen Acked-by: Matthew Garrett Acked-by: Ard Biesheuvel Signed-off-by: Jarkko Sakkinen Signed-off-by: Ard Biesheuvel (cherry picked from commit 512fb49c9e547f85c588d063cff8bbeb8fd6a643 git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi.git) Signed-off-by: Seth Forshee --- include/linux/tpm_eventlog.h | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h index 63238c84dc0b..12584b69a3f3 100644 --- a/include/linux/tpm_eventlog.h +++ b/include/linux/tpm_eventlog.h @@ -170,6 +170,7 @@ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, u16 halg; int i; int j; + u32 count, event_type; marker = event; marker_start = marker; @@ -190,16 +191,22 @@ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, } event = (struct tcg_pcr_event2_head *)mapping; + /* + * the loop below will unmap these fields if the log is larger than + * one page, so save them here for reference. + */ + count = READ_ONCE(event->count); + event_type = READ_ONCE(event->event_type); efispecid = (struct tcg_efi_specid_event_head *)event_header->event; /* Check if event is malformed. */ - if (event->count > efispecid->num_algs) { + if (count > efispecid->num_algs) { size = 0; goto out; } - for (i = 0; i < event->count; i++) { + for (i = 0; i < count; i++) { halg_size = sizeof(event->digests[i].alg_id); /* Map the digest's algorithm identifier */ @@ -256,8 +263,9 @@ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, + event_field->event_size; size = marker - marker_start; - if ((event->event_type == 0) && (event_field->event_size == 0)) + if (event_type == 0 && event_field->event_size == 0) size = 0; + out: if (do_mapping) TPM_MEMUNMAP(mapping, mapping_size); From patchwork Sat Sep 28 15:46:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1168855 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46gY274tBXz9sPD; Sun, 29 Sep 2019 01:47:11 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1iEEw6-0000P6-3f; Sat, 28 Sep 2019 15:47:06 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iEEw4-0000NH-Ah for kernel-team@lists.ubuntu.com; Sat, 28 Sep 2019 15:47:04 +0000 Received: from mail-io1-f71.google.com ([209.85.166.71]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iEEw4-0005nU-2L for kernel-team@lists.ubuntu.com; Sat, 28 Sep 2019 15:47:04 +0000 Received: by mail-io1-f71.google.com with SMTP id i2so19341874ioo.10 for ; Sat, 28 Sep 2019 08:47:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=IPb2FBtU87C8g3i6Y/fepiwdAvDz6PzdNxSQBeNMx6s=; b=adrqcG49wyEfbCUKIKVkK1qa6Bsq86JTQSj5KTJ8HVFXBFkIJnBso2iNoJLjluI1bC RxSW6QUSPsygDcx9GHecpUWq7VmDdJ8mV4KaiLubWQj6dKyVqhj84NH4V4Xc5ABL130G BrnuSKdyRnv4KxWmV5FqkGABl2tI5LuD3R5M3mBkRcjPoWPtTAfzL/b99egpWuYKrVAx CI4z6ZQYHtXbo4wtVRVnurKN3o3DKUQtcZQY2wWwqJoXMU8Hz9QGG+eLScLGcjsEA9Dj eebiQXYYAj207+xdn3Ir5qJ72aeeMW3QM0IpGutoOAmHqAT7+1365UyU+wTgnoyLargC 4NgQ== X-Gm-Message-State: APjAAAUa2nVTsTrF70TWcu5e13SifpQt7SpxuRsRd7SY4d7dWVuGCJHr bp+5y+tV3X4IygIb8lOFnGX+Hv7wyvO8mfbA9TtfR4mLKpFpy8PpIeA3eh2RueeEMV1UOIPKJq0 7bslBpRH7Yqe0bbjPzSNL6q9HGHNE7oI1MmRsA7No4w== X-Received: by 2002:a92:ca8e:: with SMTP id t14mr11447059ilo.73.1569685622798; Sat, 28 Sep 2019 08:47:02 -0700 (PDT) X-Google-Smtp-Source: APXvYqwlrIYenpzqx+/vS9rtckMnIjQuFUUaWVBJn9QpX0Oksl0Td5a++2Kp7veyz/3O5HTkXy4ENw== X-Received: by 2002:a92:ca8e:: with SMTP id t14mr11447027ilo.73.1569685622425; Sat, 28 Sep 2019 08:47:02 -0700 (PDT) Received: from localhost ([2605:a601:ac3:9720:4dd1:efb0:71b2:398e]) by smtp.gmail.com with ESMTPSA id 197sm4196710ioc.78.2019.09.28.08.47.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Sep 2019 08:47:01 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 2/3][SRU][E] efi/tpm: don't traverse an event log with no events Date: Sat, 28 Sep 2019 10:46:57 -0500 Message-Id: <20190928154658.12957-3-seth.forshee@canonical.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190928154658.12957-1-seth.forshee@canonical.com> References: <20190928154658.12957-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Peter Jones BugLink: https://bugs.launchpad.net/bugs/1845454 When there are no entries to put into the final event log, some machines will return the template they would have populated anyway. In this case the nr_events field is 0, but the rest of the log is just garbage. This patch stops us from trying to iterate the table with __calc_tpm2_event_size() when the number of events in the table is 0. Fixes: c46f3405692d ("tpm: Reserve the TPM final events table") Cc: linux-efi@vger.kernel.org Cc: linux-integrity@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Peter Jones Tested-by: Lyude Paul Reviewed-by: Jarkko Sakkinen Acked-by: Matthew Garrett Acked-by: Ard Biesheuvel Signed-off-by: Jarkko Sakkinen Signed-off-by: Ard Biesheuvel (cherry picked from commit 1f112c0544b1a6bb49bbf4f7457a7d4bb0d304b6 git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi.git) Signed-off-by: Seth Forshee --- drivers/firmware/efi/tpm.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c index 1d3f5ca3eaaf..b9ae5c6f9b9c 100644 --- a/drivers/firmware/efi/tpm.c +++ b/drivers/firmware/efi/tpm.c @@ -75,11 +75,16 @@ int __init efi_tpm_eventlog_init(void) goto out; } - tbl_size = tpm2_calc_event_log_size((void *)efi.tpm_final_log - + sizeof(final_tbl->version) - + sizeof(final_tbl->nr_events), - final_tbl->nr_events, - log_tbl->log); + tbl_size = 0; + if (final_tbl->nr_events != 0) { + void *events = (void *)efi.tpm_final_log + + sizeof(final_tbl->version) + + sizeof(final_tbl->nr_events); + + tbl_size = tpm2_calc_event_log_size(events, + final_tbl->nr_events, + log_tbl->log); + } memblock_reserve((unsigned long)final_tbl, tbl_size + sizeof(*final_tbl)); early_memunmap(final_tbl, sizeof(*final_tbl)); From patchwork Sat Sep 28 15:46:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1168858 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46gY291Bx6z9sPd; Sun, 29 Sep 2019 01:47:12 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1iEEw9-0000Rh-CZ; Sat, 28 Sep 2019 15:47:09 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iEEw5-0000OO-HY for kernel-team@lists.ubuntu.com; Sat, 28 Sep 2019 15:47:05 +0000 Received: from mail-io1-f69.google.com ([209.85.166.69]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iEEw5-0005nq-8f for kernel-team@lists.ubuntu.com; Sat, 28 Sep 2019 15:47:05 +0000 Received: by mail-io1-f69.google.com with SMTP id e6so17646828iog.5 for ; Sat, 28 Sep 2019 08:47:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=uo8/CnFEagZw6nskTeSqZhsMoM3pf764MD8MSqgJaMw=; b=WUTNQqRQXD/G8Iq8b9U6VIcj205cBJbz1O3E69uhSVzC1SWIp7TVXRtome//GJVt/G yTqHRbT0VmJ0J0DfiD33QWit2TMUXzZaV+Te82Y3MM/dZtPPgqSkibaO36Jium1Cm3op Vf75Lq096lPAZVY4nurDWjd4GMXgmbRLpNJmsCtXH/8vIfqD+Qutf+x79UrQ4TQmL07s ve8viWHjK72FUZOgxXz1jsQxaiWLKfmAqkuo2qJ3KANutn3Lm3Lo5vgVMsIWasTQhKIc B5nA7VI91cQKjg3PFKuy+gZLKVn0xrxFKgn4EcsI6xZ5/gxSyq4VCEXS8eo5s9CbBjSy x6Vg== X-Gm-Message-State: APjAAAX1lM35W6WQSejhnvU7TdkTJCieAwMMllQ5iCjalrRcUOaqku+2 NQVvZ3bHlDhp5wifVDyXsH2jKSPNwhcvz5i5Z8uVNfan2IUc/38rCbdUcVWOzW4Lahz8X7LWqz/ AzkQrh3WGyg1nKzmUXCVSxSp74gD1/iRRrmBAZYVc4Q== X-Received: by 2002:a6b:3804:: with SMTP id f4mr14083783ioa.166.1569685624112; Sat, 28 Sep 2019 08:47:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqxna+M+tTVJmVM1Vn57RoHAglzthwb/Sy+bAHLjUjgE888AAa7BNBrulSJg1zG9HMwlI/kS6g== X-Received: by 2002:a6b:3804:: with SMTP id f4mr14083762ioa.166.1569685623831; Sat, 28 Sep 2019 08:47:03 -0700 (PDT) Received: from localhost ([2605:a601:ac3:9720:4dd1:efb0:71b2:398e]) by smtp.gmail.com with ESMTPSA id q74sm3876977iod.72.2019.09.28.08.47.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Sep 2019 08:47:03 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 3/3][SRU][E] efi/tpm: only set efi_tpm_final_log_size after successful event log parsing Date: Sat, 28 Sep 2019 10:46:58 -0500 Message-Id: <20190928154658.12957-4-seth.forshee@canonical.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190928154658.12957-1-seth.forshee@canonical.com> References: <20190928154658.12957-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jerry Snitselaar BugLink: https://bugs.launchpad.net/bugs/1845454 If __calc_tpm2_event_size fails to parse an event it will return 0, resulting tpm2_calc_event_log_size returning -1. Currently there is no check of this return value, and efi_tpm_final_log_size can end up being set to this negative value resulting in a panic like the the one given below. Also __calc_tpm2_event_size returns a size of 0 when it fails to parse an event, so update function documentation to reflect this. [ 0.774340] BUG: unable to handle page fault for address: ffffbc8fc00866ad [ 0.774788] #PF: supervisor read access in kernel mode [ 0.774788] #PF: error_code(0x0000) - not-present page [ 0.774788] PGD 107d36067 P4D 107d36067 PUD 107d37067 PMD 107d38067 PTE 0 [ 0.774788] Oops: 0000 [#1] SMP PTI [ 0.774788] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.3.0-0.rc2.1.elrdy.x86_64 #1 [ 0.774788] Hardware name: LENOVO 20HGS22D0W/20HGS22D0W, BIOS N1WET51W (1.30 ) 09/14/2018 [ 0.774788] RIP: 0010:memcpy_erms+0x6/0x10 [ 0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe [ 0.774788] RSP: 0000:ffffbc8fc0073b30 EFLAGS: 00010286 [ 0.774788] RAX: ffff9b1fc7c5b367 RBX: ffff9b1fc8390000 RCX: ffffffffffffe962 [ 0.774788] RDX: ffffffffffffe962 RSI: ffffbc8fc00866ad RDI: ffff9b1fc7c5b367 [ 0.774788] RBP: ffff9b1c10ca7018 R08: ffffbc8fc0085fff R09: 8000000000000063 [ 0.774788] R10: 0000000000001000 R11: 000fffffffe00000 R12: 0000000000003367 [ 0.774788] R13: ffff9b1fcc47c010 R14: ffffbc8fc0085000 R15: 0000000000000002 [ 0.774788] FS: 0000000000000000(0000) GS:ffff9b1fce200000(0000) knlGS:0000000000000000 [ 0.774788] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.774788] CR2: ffffbc8fc00866ad CR3: 000000029f60a001 CR4: 00000000003606f0 [ 0.774788] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 0.774788] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 0.774788] Call Trace: [ 0.774788] tpm_read_log_efi+0x156/0x1a0 [ 0.774788] tpm_bios_log_setup+0xc8/0x190 [ 0.774788] tpm_chip_register+0x50/0x1c0 [ 0.774788] tpm_tis_core_init.cold.9+0x28c/0x466 [ 0.774788] tpm_tis_plat_probe+0xcc/0xea [ 0.774788] platform_drv_probe+0x35/0x80 [ 0.774788] really_probe+0xef/0x390 [ 0.774788] driver_probe_device+0xb4/0x100 [ 0.774788] device_driver_attach+0x4f/0x60 [ 0.774788] __driver_attach+0x86/0x140 [ 0.774788] ? device_driver_attach+0x60/0x60 [ 0.774788] bus_for_each_dev+0x76/0xc0 [ 0.774788] ? klist_add_tail+0x3b/0x70 [ 0.774788] bus_add_driver+0x14a/0x1e0 [ 0.774788] ? tpm_init+0xea/0xea [ 0.774788] ? do_early_param+0x8e/0x8e [ 0.774788] driver_register+0x6b/0xb0 [ 0.774788] ? tpm_init+0xea/0xea [ 0.774788] init_tis+0x86/0xd8 [ 0.774788] ? do_early_param+0x8e/0x8e [ 0.774788] ? driver_register+0x94/0xb0 [ 0.774788] do_one_initcall+0x46/0x1e4 [ 0.774788] ? do_early_param+0x8e/0x8e [ 0.774788] kernel_init_freeable+0x199/0x242 [ 0.774788] ? rest_init+0xaa/0xaa [ 0.774788] kernel_init+0xa/0x106 [ 0.774788] ret_from_fork+0x35/0x40 [ 0.774788] Modules linked in: [ 0.774788] CR2: ffffbc8fc00866ad [ 0.774788] ---[ end trace 42930799f8d6eaea ]--- [ 0.774788] RIP: 0010:memcpy_erms+0x6/0x10 [ 0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe [ 0.774788] RSP: 0000:ffffbc8fc0073b30 EFLAGS: 00010286 [ 0.774788] RAX: ffff9b1fc7c5b367 RBX: ffff9b1fc8390000 RCX: ffffffffffffe962 [ 0.774788] RDX: ffffffffffffe962 RSI: ffffbc8fc00866ad RDI: ffff9b1fc7c5b367 [ 0.774788] RBP: ffff9b1c10ca7018 R08: ffffbc8fc0085fff R09: 8000000000000063 [ 0.774788] R10: 0000000000001000 R11: 000fffffffe00000 R12: 0000000000003367 [ 0.774788] R13: ffff9b1fcc47c010 R14: ffffbc8fc0085000 R15: 0000000000000002 [ 0.774788] FS: 0000000000000000(0000) GS:ffff9b1fce200000(0000) knlGS:0000000000000000 [ 0.774788] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.774788] CR2: ffffbc8fc00866ad CR3: 000000029f60a001 CR4: 00000000003606f0 [ 0.774788] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 0.774788] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 0.774788] Kernel panic - not syncing: Fatal exception [ 0.774788] Kernel Offset: 0x1d000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 0.774788] ---[ end Kernel panic - not syncing: Fatal exception ]--- The root cause of the issue that caused the failure of event parsing in this case is resolved by Peter Jone's patchset dealing with large event logs where crossing over a page boundary causes the page with the event count to be unmapped. Fixes: c46f3405692de ("tpm: Reserve the TPM final events table") Cc: linux-efi@vger.kernel.org Cc: linux-integrity@vger.kernel.org Cc: stable@vger.kernel.org Cc: Matthew Garrett Cc: Ard Biesheuvel Cc: Jarkko Sakkinen Signed-off-by: Jerry Snitselaar Signed-off-by: Ard Biesheuvel (cherry picked from commit c0e71ec75e07043eb7003b9601bc3c4eb1f156cc git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi.git) Signed-off-by: Seth Forshee --- drivers/firmware/efi/tpm.c | 9 ++++++++- include/linux/tpm_eventlog.h | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c index b9ae5c6f9b9c..703469c1ab8e 100644 --- a/drivers/firmware/efi/tpm.c +++ b/drivers/firmware/efi/tpm.c @@ -85,11 +85,18 @@ int __init efi_tpm_eventlog_init(void) final_tbl->nr_events, log_tbl->log); } + + if (tbl_size < 0) { + pr_err(FW_BUG "Failed to parse event in TPM Final Events Log\n"); + goto out_calc; + } + memblock_reserve((unsigned long)final_tbl, tbl_size + sizeof(*final_tbl)); - early_memunmap(final_tbl, sizeof(*final_tbl)); efi_tpm_final_log_size = tbl_size; +out_calc: + early_memunmap(final_tbl, sizeof(*final_tbl)); out: early_memunmap(log_tbl, sizeof(*log_tbl)); return ret; diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h index 12584b69a3f3..2dfdd63ac034 100644 --- a/include/linux/tpm_eventlog.h +++ b/include/linux/tpm_eventlog.h @@ -152,7 +152,7 @@ struct tcg_algorithm_info { * total. Once we've done this we know the offset of the data length field, * and can calculate the total size of the event. * - * Return: size of the event on success, <0 on failure + * Return: size of the event on success, 0 on failure */ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event,