Page MenuHomeFreeBSD
Differential D19713

tpm: Prevent session hijack.
ClosedPublic
Actions

Authored by kd on Mar 26 2019, 12:00 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Oct 31, 7:13 AM
Unknown Object (File)
Oct 4 2024, 8:32 AM
Unknown Object (File)
Sep 21 2024, 8:05 PM
Unknown Object (File)
Sep 12 2024, 11:14 AM
Unknown Object (File)
Sep 2 2024, 1:57 AM
Unknown Object (File)
Sep 2 2024, 1:57 AM
Unknown Object (File)
Sep 2 2024, 1:57 AM
Unknown Object (File)
Sep 2 2024, 1:55 AM
View All 39 Files
Subscribers
imp

Details

Reviewers
mw
mst_semihalf.com
delphij
Commits
rS346259: tpm: Prevent session hijack
Summary

Check caller thread id before allowing to read the buffer to make sure that it can only be accessed by the thread that did the associated write to the TPM.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

kd created this revision.Mar 26 2019, 12:00 PM
Herald added a subscriber: imp. · View Herald TranscriptMar 26 2019, 12:00 PM
kd added a reviewer: delphij.Apr 11 2019, 11:06 AM
delphij added a comment.Apr 11 2019, 7:03 PM

I don't really know the internals of this driver (ideally this should be done by someone who is familiar with it), but are we sure that the write method is always called before a read? Also, if the discard callout is fired, should the owner tid be reset (because the contents is now discarded)?

kd added a comment.Apr 12 2019, 8:12 AM
In D19713#427028, @delphij wrote:

I don't really know the internals of this driver (ideally this should be done by someone who is familiar with it), but are we sure that the write method is always called before a read? Also, if the discard callout is fired, should the owner tid be reset (because the contents is now discarded)?

If the write method hasn't been called before a read then there will be nothing in the buffer and the read will fail - as pending_data_length equals 0.
Essentially the way it works is that write is used to do the entire communication with TPM and read just copies the response to userspace.
As for the discard callout, since it also clears the buffer read would fail either way and tid is not checked in write, as it is used only to restrict access to buffer contents which is empty when a write is performed.

delphij accepted this revision.Apr 12 2019, 3:49 PM
In D19713#427179, @mindal_semihalf.com wrote:
In D19713#427028, @delphij wrote:

I don't really know the internals of this driver (ideally this should be done by someone who is familiar with it), but are we sure that the write method is always called before a read? Also, if the discard callout is fired, should the owner tid be reset (because the contents is now discarded)?

If the write method hasn't been called before a read then there will be nothing in the buffer and the read will fail - as pending_data_length equals 0.
Essentially the way it works is that write is used to do the entire communication with TPM and read just copies the response to userspace.
As for the discard callout, since it also clears the buffer read would fail either way and tid is not checked in write, as it is used only to restrict access to buffer contents which is empty when a write is performed.

I see, sounds reasonable.

This revision is now accepted and ready to land.Apr 12 2019, 3:49 PM
Closed by commit rS346259: tpm: Prevent session hijack (authored by mw). · Explain WhyApr 16 2019, 2:28 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
sys/
dev/
tpm/
1 line
8 lines

Diff 55452

View Options

sys/dev/tpm/tpm20.h

Loading...
View Options

sys/dev/tpm/tpm20.c

Loading...