Page Menu
Home
FreeBSD
Search
Configure Global Search
Log In
Files
F95109430
D46564.id143026.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Flag For Later
Award Token
Size
2 KB
Referenced Files
None
Subscribers
None
D46564.id143026.diff
View Options
diff --git a/usr.sbin/bhyve/tpm_intf_crb.c b/usr.sbin/bhyve/tpm_intf_crb.c
--- a/usr.sbin/bhyve/tpm_intf_crb.c
+++ b/usr.sbin/bhyve/tpm_intf_crb.c
@@ -165,6 +165,15 @@
regs.rsp_addr = val; \
} while (0)
+struct tpm_cmd_hdr {
+ uint16_t tag;
+ uint32_t len;
+ union {
+ uint32_t ordinal;
+ uint32_t errcode;
+ };
+} __packed;
+
struct tpm_crb {
struct tpm_emul *emul;
void *emul_sc;
@@ -176,6 +185,7 @@
bool closing;
};
+
static void *
tpm_crb_thread(void *const arg)
{
@@ -200,6 +210,26 @@
const uint32_t cmd_size = CRB_CMD_SIZE_READ(crb->regs);
const uint32_t rsp_size = CRB_RSP_SIZE_READ(crb->regs);
+ if ((cmd_addr < TPM_CRB_DATA_BUFFER_ADDRESS) ||
+ (cmd_size < sizeof (struct tpm_cmd_hdr)) ||
+ (cmd_size > TPM_CRB_DATA_BUFFER_SIZE) ||
+ (cmd_addr + cmd_size >
+ TPM_CRB_DATA_BUFFER_ADDRESS + TPM_CRB_DATA_BUFFER_SIZE)) {
+ warnx("%s: invalid cmd [%16lx/%8x] outside of TPM "
+ "buffer", __func__, cmd_addr, cmd_size);
+ break;
+ }
+
+ if ((rsp_addr < TPM_CRB_DATA_BUFFER_ADDRESS) ||
+ (rsp_size < sizeof (struct tpm_cmd_hdr)) ||
+ (rsp_size > TPM_CRB_DATA_BUFFER_SIZE) ||
+ (rsp_addr + rsp_size >
+ TPM_CRB_DATA_BUFFER_ADDRESS + TPM_CRB_DATA_BUFFER_SIZE)) {
+ warnx("%s: invalid rsp [%16lx/%8x] outside of TPM "
+ "buffer", __func__, rsp_addr, rsp_size);
+ break;
+ }
+
const uint64_t cmd_off = cmd_addr - TPM_CRB_DATA_BUFFER_ADDRESS;
const uint64_t rsp_off = rsp_addr - TPM_CRB_DATA_BUFFER_ADDRESS;
@@ -217,6 +247,17 @@
uint8_t cmd[TPM_CRB_DATA_BUFFER_SIZE];
memcpy(cmd, crb->regs.data_buffer, TPM_CRB_DATA_BUFFER_SIZE);
+ /*
+ * Do a basic sanity check of the TPM request header. We'll need
+ * the TPM request length for execute_cmd() below.
+ */
+ struct tpm_cmd_hdr *req = (struct tpm_cmd_hdr *)&cmd[cmd_off];
+ if (be32toh(req->len) < sizeof (struct tpm_cmd_hdr) ||
+ be32toh(req->len) > cmd_size) {
+ warnx("%s: invalid TPM request header", __func__);
+ break;
+ }
+
/*
* A TPM command can take multiple seconds to execute. As we've
* copied all required values and buffers at this point, we can
@@ -237,8 +278,8 @@
* response.
*/
uint8_t rsp[TPM_CRB_DATA_BUFFER_SIZE] = { 0 };
- crb->emul->execute_cmd(crb->emul_sc, &cmd[cmd_off], cmd_size,
- &rsp[rsp_off], rsp_size);
+ (void) crb->emul->execute_cmd(crb->emul_sc, req,
+ be32toh(req->len), &rsp[rsp_off], rsp_size);
pthread_mutex_lock(&crb->mutex);
memset(crb->regs.data_buffer, 0, TPM_CRB_DATA_BUFFER_SIZE);
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Fri, Sep 20, 10:25 AM (14 h, 18 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
11433041
Default Alt Text
D46564.id143026.diff (2 KB)
Attached To
Mode
D46564: bhyve: TPM CRB: pass actual TPM request length to backend execute_cmd()
Attached
Detach File
Event Timeline
Log In to Comment