Page MenuHomeFreeBSD

tpm: Prevent session hijack.
ClosedPublic

Authored by mindal_semihalf.com on Mar 26 2019, 12:00 PM.

Details

Summary

Check caller thread id before allowing to read the buffer to make sure that it can only be accessed by the thread that did the associated write to the TPM.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

I don't really know the internals of this driver (ideally this should be done by someone who is familiar with it), but are we sure that the write method is always called before a read? Also, if the discard callout is fired, should the owner tid be reset (because the contents is now discarded)?

I don't really know the internals of this driver (ideally this should be done by someone who is familiar with it), but are we sure that the write method is always called before a read? Also, if the discard callout is fired, should the owner tid be reset (because the contents is now discarded)?

If the write method hasn't been called before a read then there will be nothing in the buffer and the read will fail - as pending_data_length equals 0.
Essentially the way it works is that write is used to do the entire communication with TPM and read just copies the response to userspace.
As for the discard callout, since it also clears the buffer read would fail either way and tid is not checked in write, as it is used only to restrict access to buffer contents which is empty when a write is performed.

delphij accepted this revision.Fri, Apr 12, 3:49 PM

I don't really know the internals of this driver (ideally this should be done by someone who is familiar with it), but are we sure that the write method is always called before a read? Also, if the discard callout is fired, should the owner tid be reset (because the contents is now discarded)?

If the write method hasn't been called before a read then there will be nothing in the buffer and the read will fail - as pending_data_length equals 0.
Essentially the way it works is that write is used to do the entire communication with TPM and read just copies the response to userspace.
As for the discard callout, since it also clears the buffer read would fail either way and tid is not checked in write, as it is used only to restrict access to buffer contents which is empty when a write is performed.

I see, sounds reasonable.

This revision is now accepted and ready to land.Fri, Apr 12, 3:49 PM
Closed by commit rS346259: tpm: Prevent session hijack (authored by mw, committed by ). · Explain WhyTue, Apr 16, 2:28 AM
This revision was automatically updated to reflect the committed changes.