Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 16 Apr 2019 02:28:35 +0000 (UTC)
From:      Marcin Wojtas <mw@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r346259 - head/sys/dev/tpm
Message-ID:  <201904160228.x3G2SZIg057157@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: mw
Date: Tue Apr 16 02:28:35 2019
New Revision: 346259
URL: https://svnweb.freebsd.org/changeset/base/346259

Log:
  tpm: Prevent session hijack
  
  Check caller thread id before allowing to read the buffer
  to make sure that it can only be accessed by the thread that
  did the associated write to the TPM.
  
  Submitted by: Kornel Duleba <mindal@semihalf.com>
  Reviewed by: delphij
  Obtained from: Semihalf
  Sponsored by: Stormshield
  Differential Revision: https://reviews.freebsd.org/D19713

Modified:
  head/sys/dev/tpm/tpm20.c
  head/sys/dev/tpm/tpm20.h

Modified: head/sys/dev/tpm/tpm20.c
==============================================================================
--- head/sys/dev/tpm/tpm20.c	Tue Apr 16 02:12:38 2019	(r346258)
+++ head/sys/dev/tpm/tpm20.c	Tue Apr 16 02:28:35 2019	(r346259)
@@ -77,6 +77,10 @@ tpm20_read(struct cdev *dev, struct uio *uio, int flag
 
 	callout_stop(&sc->discard_buffer_callout);
 	sx_xlock(&sc->dev_lock);
+	if (sc->owner_tid != uio->uio_td->td_tid) {
+		sx_xunlock(&sc->dev_lock);
+		return (EPERM);
+	}
 
 	bytes_to_transfer = MIN(sc->pending_data_length, uio->uio_resid);
 	if (bytes_to_transfer > 0) {
@@ -128,9 +132,11 @@ tpm20_write(struct cdev *dev, struct uio *uio, int fla
 
 	result = sc->transmit(sc, byte_count);
 
-	if (result == 0)
+	if (result == 0) {
 		callout_reset(&sc->discard_buffer_callout,
 		    TPM_READ_TIMEOUT / tick, tpm20_discard_buffer, sc);
+		sc->owner_tid = uio->uio_td->td_tid;
+	}
 
 	sx_xunlock(&sc->dev_lock);
 	return (result);

Modified: head/sys/dev/tpm/tpm20.h
==============================================================================
--- head/sys/dev/tpm/tpm20.h	Tue Apr 16 02:12:38 2019	(r346258)
+++ head/sys/dev/tpm/tpm20.h	Tue Apr 16 02:28:35 2019	(r346259)
@@ -120,6 +120,7 @@ struct tpm_sc {
 
 	uint8_t 	*buf;
 	size_t		pending_data_length;
+	lwpid_t		owner_tid;
 
 	struct callout 	discard_buffer_callout;
 #ifdef TPM_HARVEST

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201904160228.x3G2SZIg057157>