Page MenuHomeFreeBSD

tpm: Prevent session hijack.
ClosedPublic

Authored by kd on Mar 26 2019, 12:00 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Dec 13, 5:28 PM
Unknown Object (File)
Nov 22 2024, 11:45 PM
Unknown Object (File)
Oct 31 2024, 7:13 AM
Unknown Object (File)
Oct 4 2024, 8:32 AM
Unknown Object (File)
Sep 21 2024, 8:05 PM
Unknown Object (File)
Sep 12 2024, 11:14 AM
Unknown Object (File)
Sep 2 2024, 1:57 AM
Unknown Object (File)
Sep 2 2024, 1:57 AM
Subscribers

Details

Summary

Check caller thread id before allowing to read the buffer to make sure that it can only be accessed by the thread that did the associated write to the TPM.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

I don't really know the internals of this driver (ideally this should be done by someone who is familiar with it), but are we sure that the write method is always called before a read? Also, if the discard callout is fired, should the owner tid be reset (because the contents is now discarded)?

I don't really know the internals of this driver (ideally this should be done by someone who is familiar with it), but are we sure that the write method is always called before a read? Also, if the discard callout is fired, should the owner tid be reset (because the contents is now discarded)?

If the write method hasn't been called before a read then there will be nothing in the buffer and the read will fail - as pending_data_length equals 0.
Essentially the way it works is that write is used to do the entire communication with TPM and read just copies the response to userspace.
As for the discard callout, since it also clears the buffer read would fail either way and tid is not checked in write, as it is used only to restrict access to buffer contents which is empty when a write is performed.

In D19713#427179, @mindal_semihalf.com wrote:

I don't really know the internals of this driver (ideally this should be done by someone who is familiar with it), but are we sure that the write method is always called before a read? Also, if the discard callout is fired, should the owner tid be reset (because the contents is now discarded)?

If the write method hasn't been called before a read then there will be nothing in the buffer and the read will fail - as pending_data_length equals 0.
Essentially the way it works is that write is used to do the entire communication with TPM and read just copies the response to userspace.
As for the discard callout, since it also clears the buffer read would fail either way and tid is not checked in write, as it is used only to restrict access to buffer contents which is empty when a write is performed.

I see, sounds reasonable.

This revision is now accepted and ready to land.Apr 12 2019, 3:49 PM
This revision was automatically updated to reflect the committed changes.