1. Patchew
  2. Seabios
  3. [SeaBIOS] [PATCH 0/2] tpm: Defend against TPM sending unexpected short packets
  4. View patch

[SeaBIOS] [PATCH 2/2] tcgbios: Check for enough bytes returned from TPM2_GetCapability

Stefan Berger posted 2 patches 4 years, 10 months ago
[SeaBIOS] [PATCH 2/2] tcgbios: Check for enough bytes returned from TPM2_GetCapability
Posted by Stefan Berger 4 years, 10 months ago 
When querying a TPM 2.0 for its PCRs, make sure that we get enough bytes
from it in a response that did not indicate a failure. Basically we are
defending against a TPM 2.0 sending responses that are not compliant to
the specs.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/tcgbios.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/tcgbios.c b/src/tcgbios.c
index 2e503f9..95c1e94 100644
--- a/src/tcgbios.c
+++ b/src/tcgbios.c
@@ -481,8 +481,17 @@ tpm20_get_pcrbanks(void)
     if (ret)
         return ret;
 
-    u32 size = be32_to_cpu(trg->hdr.totlen) -
-                           offsetof(struct tpm2_res_getcapability, data);
+    /* defend against (broken) TPM sending packets that are too short */
+    u32 resplen = be32_to_cpu(trg->hdr.totlen);
+    if (resplen <= offsetof(struct tpm2_res_getcapability, data))
+        return -1;
+
+    u32 size = resplen - offsetof(struct tpm2_res_getcapability, data);
+    /* we need a valid tpml_pcr_selection up to and including sizeOfSelect */
+    if (size < offsetof(struct tpml_pcr_selection, selections) +
+               offsetof(struct tpms_pcr_selection, pcrSelect))
+        return -1;
+
     tpm20_pcr_selection = malloc_high(size);
     if (tpm20_pcr_selection) {
         memcpy(tpm20_pcr_selection, &trg->data, size);
-- 
2.20.1
_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-leave@seabios.org
[SeaBIOS] Re: [PATCH 2/2] tcgbios: Check for enough bytes returned from TPM2_GetCapability
Posted by Marc-André Lureau 4 years, 10 months ago 
On Thu, Nov 7, 2019 at 3:14 AM Stefan Berger <stefanb@linux.vnet.ibm.com> wrote:
>
> When querying a TPM 2.0 for its PCRs, make sure that we get enough bytes
> from it in a response that did not indicate a failure. Basically we are
> defending against a TPM 2.0 sending responses that are not compliant to
> the specs.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>

> ---
>  src/tcgbios.c | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/src/tcgbios.c b/src/tcgbios.c
> index 2e503f9..95c1e94 100644
> --- a/src/tcgbios.c
> +++ b/src/tcgbios.c
> @@ -481,8 +481,17 @@ tpm20_get_pcrbanks(void)
>      if (ret)
>          return ret;
>
> -    u32 size = be32_to_cpu(trg->hdr.totlen) -
> -                           offsetof(struct tpm2_res_getcapability, data);
> +    /* defend against (broken) TPM sending packets that are too short */
> +    u32 resplen = be32_to_cpu(trg->hdr.totlen);
> +    if (resplen <= offsetof(struct tpm2_res_getcapability, data))
> +        return -1;
> +
> +    u32 size = resplen - offsetof(struct tpm2_res_getcapability, data);
> +    /* we need a valid tpml_pcr_selection up to and including sizeOfSelect */
> +    if (size < offsetof(struct tpml_pcr_selection, selections) +
> +               offsetof(struct tpms_pcr_selection, pcrSelect))
> +        return -1;
> +
>      tpm20_pcr_selection = malloc_high(size);
>      if (tpm20_pcr_selection) {
>          memcpy(tpm20_pcr_selection, &trg->data, size);
> --
> 2.20.1
> _______________________________________________
> SeaBIOS mailing list -- seabios@seabios.org
> To unsubscribe send an email to seabios-leave@seabios.org



-- 
Marc-André Lureau
_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-leave@seabios.org
[SeaBIOS] Re: [PATCH 2/2] tcgbios: Check for enough bytes returned from TPM2_GetCapability
Posted by Philippe Mathieu-Daudé 4 years, 10 months ago 
On 11/6/19 10:36 PM, Stefan Berger wrote:
> When querying a TPM 2.0 for its PCRs, make sure that we get enough bytes
> from it in a response that did not indicate a failure. Basically we are
> defending against a TPM 2.0 sending responses that are not compliant to
> the specs.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>   src/tcgbios.c | 13 +++++++++++--
>   1 file changed, 11 insertions(+), 2 deletions(-)
> 
> diff --git a/src/tcgbios.c b/src/tcgbios.c
> index 2e503f9..95c1e94 100644
> --- a/src/tcgbios.c
> +++ b/src/tcgbios.c
> @@ -481,8 +481,17 @@ tpm20_get_pcrbanks(void)
>       if (ret)
>           return ret;
>   
> -    u32 size = be32_to_cpu(trg->hdr.totlen) -
> -                           offsetof(struct tpm2_res_getcapability, data);
> +    /* defend against (broken) TPM sending packets that are too short */
> +    u32 resplen = be32_to_cpu(trg->hdr.totlen);
> +    if (resplen <= offsetof(struct tpm2_res_getcapability, data))
> +        return -1;
> +
> +    u32 size = resplen - offsetof(struct tpm2_res_getcapability, data);
> +    /* we need a valid tpml_pcr_selection up to and including sizeOfSelect */
> +    if (size < offsetof(struct tpml_pcr_selection, selections) +
> +               offsetof(struct tpms_pcr_selection, pcrSelect))
> +        return -1;
> +
>       tpm20_pcr_selection = malloc_high(size);
>       if (tpm20_pcr_selection) {
>           memcpy(tpm20_pcr_selection, &trg->data, size);
> 

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-leave@seabios.org

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.