From owner-svn-src-all@freebsd.org Tue Sep 3 14:07:45 2019 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7395FDD1B1; Tue, 3 Sep 2019 14:06:56 +0000 (UTC) (envelope-from yuripv@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46N8000S0tz4Q3V; Tue, 3 Sep 2019 14:06:56 +0000 (UTC) (envelope-from yuripv@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1452) id 001371ADB2; Tue, 3 Sep 2019 14:06:21 +0000 (UTC) X-Original-To: yuripv@localmail.freebsd.org Delivered-To: yuripv@localmail.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [96.47.72.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client CN "mx1.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by freefall.freebsd.org (Postfix) with ESMTPS id 62BBD12FD2; Tue, 16 Apr 2019 02:28:39 +0000 (UTC) (envelope-from owner-src-committers@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1EE0A6E036; Tue, 16 Apr 2019 02:28:39 +0000 (UTC) (envelope-from owner-src-committers@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 538) id 10E5612FD0; Tue, 16 Apr 2019 02:28:39 +0000 (UTC) Delivered-To: src-committers@localmail.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client CN "mx1.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by freefall.freebsd.org (Postfix) with ESMTPS id 9BE2312FCE for ; Tue, 16 Apr 2019 02:28:36 +0000 (UTC) (envelope-from mw@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6C6696E033; Tue, 16 Apr 2019 02:28:36 +0000 (UTC) (envelope-from mw@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 484D41918D; Tue, 16 Apr 2019 02:28:36 +0000 (UTC) (envelope-from mw@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x3G2Satd057158; Tue, 16 Apr 2019 02:28:36 GMT (envelope-from mw@FreeBSD.org) Received: (from mw@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x3G2SZIg057157; Tue, 16 Apr 2019 02:28:35 GMT (envelope-from mw@FreeBSD.org) Message-Id: <201904160228.x3G2SZIg057157@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mw set sender to mw@FreeBSD.org using -f From: Marcin Wojtas To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r346259 - head/sys/dev/tpm X-SVN-Group: head X-SVN-Commit-Author: mw X-SVN-Commit-Paths: head/sys/dev/tpm X-SVN-Commit-Revision: 346259 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk X-Loop: FreeBSD.org Sender: owner-src-committers@freebsd.org X-Rspamd-Queue-Id: 1EE0A6E036 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.98)[-0.976,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US] Status: O X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Tue, 03 Sep 2019 14:07:46 -0000 X-Original-Date: Tue, 16 Apr 2019 02:28:35 +0000 (UTC) X-List-Received-Date: Tue, 03 Sep 2019 14:07:46 -0000 Author: mw Date: Tue Apr 16 02:28:35 2019 New Revision: 346259 URL: https://svnweb.freebsd.org/changeset/base/346259 Log: tpm: Prevent session hijack Check caller thread id before allowing to read the buffer to make sure that it can only be accessed by the thread that did the associated write to the TPM. Submitted by: Kornel Duleba Reviewed by: delphij Obtained from: Semihalf Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D19713 Modified: head/sys/dev/tpm/tpm20.c head/sys/dev/tpm/tpm20.h Modified: head/sys/dev/tpm/tpm20.c ============================================================================== --- head/sys/dev/tpm/tpm20.c Tue Apr 16 02:12:38 2019 (r346258) +++ head/sys/dev/tpm/tpm20.c Tue Apr 16 02:28:35 2019 (r346259) @@ -77,6 +77,10 @@ tpm20_read(struct cdev *dev, struct uio *uio, int flag callout_stop(&sc->discard_buffer_callout); sx_xlock(&sc->dev_lock); + if (sc->owner_tid != uio->uio_td->td_tid) { + sx_xunlock(&sc->dev_lock); + return (EPERM); + } bytes_to_transfer = MIN(sc->pending_data_length, uio->uio_resid); if (bytes_to_transfer > 0) { @@ -128,9 +132,11 @@ tpm20_write(struct cdev *dev, struct uio *uio, int fla result = sc->transmit(sc, byte_count); - if (result == 0) + if (result == 0) { callout_reset(&sc->discard_buffer_callout, TPM_READ_TIMEOUT / tick, tpm20_discard_buffer, sc); + sc->owner_tid = uio->uio_td->td_tid; + } sx_xunlock(&sc->dev_lock); return (result); Modified: head/sys/dev/tpm/tpm20.h ============================================================================== --- head/sys/dev/tpm/tpm20.h Tue Apr 16 02:12:38 2019 (r346258) +++ head/sys/dev/tpm/tpm20.h Tue Apr 16 02:28:35 2019 (r346259) @@ -120,6 +120,7 @@ struct tpm_sc { uint8_t *buf; size_t pending_data_length; + lwpid_t owner_tid; struct callout discard_buffer_callout; #ifdef TPM_HARVEST