Date: Tue, 03 Sep 2019 14:07:04 -0000 From: Conrad Meyer <cem@freebsd.org> To: Marcin Wojtas <mw@freebsd.org> Cc: src-committers <src-committers@freebsd.org>, svn-src-all <svn-src-all@freebsd.org>, svn-src-head <svn-src-head@freebsd.org> Subject: Re: svn commit: r346259 - head/sys/dev/tpm Message-ID: <CAG6CVpXPFhZU0SHXqKBS1S93S8EqYvTKH-fX%2Bvo-_A=b1taFiQ@mail.gmail.com> In-Reply-To: <201904160228.x3G2SZIg057157@repo.freebsd.org> References: <201904160228.x3G2SZIg057157@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Marcin, Isn't this check racy? Thread TIDs are allocated from a fixed range and can be recycled. Best, Conrad On Mon, Apr 15, 2019 at 7:28 PM Marcin Wojtas <mw@freebsd.org> wrote: > > Author: mw > Date: Tue Apr 16 02:28:35 2019 > New Revision: 346259 > URL: https://svnweb.freebsd.org/changeset/base/346259 > > Log: > tpm: Prevent session hijack > > Check caller thread id before allowing to read the buffer > to make sure that it can only be accessed by the thread that > did the associated write to the TPM. > > Submitted by: Kornel Duleba <mindal@semihalf.com> > Reviewed by: delphij > Obtained from: Semihalf > Sponsored by: Stormshield > Differential Revision: https://reviews.freebsd.org/D19713 > > Modified: > head/sys/dev/tpm/tpm20.c > head/sys/dev/tpm/tpm20.h > > Modified: head/sys/dev/tpm/tpm20.c > ============================================================================== > --- head/sys/dev/tpm/tpm20.c Tue Apr 16 02:12:38 2019 (r346258) > +++ head/sys/dev/tpm/tpm20.c Tue Apr 16 02:28:35 2019 (r346259) > @@ -77,6 +77,10 @@ tpm20_read(struct cdev *dev, struct uio *uio, int flag > > callout_stop(&sc->discard_buffer_callout); > sx_xlock(&sc->dev_lock); > + if (sc->owner_tid != uio->uio_td->td_tid) { > + sx_xunlock(&sc->dev_lock); > + return (EPERM); > + } > > bytes_to_transfer = MIN(sc->pending_data_length, uio->uio_resid); > if (bytes_to_transfer > 0) { > @@ -128,9 +132,11 @@ tpm20_write(struct cdev *dev, struct uio *uio, int fla > > result = sc->transmit(sc, byte_count); > > - if (result == 0) > + if (result == 0) { > callout_reset(&sc->discard_buffer_callout, > TPM_READ_TIMEOUT / tick, tpm20_discard_buffer, sc); > + sc->owner_tid = uio->uio_td->td_tid; > + } > > sx_xunlock(&sc->dev_lock); > return (result); > > Modified: head/sys/dev/tpm/tpm20.h > ============================================================================== > --- head/sys/dev/tpm/tpm20.h Tue Apr 16 02:12:38 2019 (r346258) > +++ head/sys/dev/tpm/tpm20.h Tue Apr 16 02:28:35 2019 (r346259) > @@ -120,6 +120,7 @@ struct tpm_sc { > > uint8_t *buf; > size_t pending_data_length; > + lwpid_t owner_tid; > > struct callout discard_buffer_callout; > #ifdef TPM_HARVEST >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG6CVpXPFhZU0SHXqKBS1S93S8EqYvTKH-fX%2Bvo-_A=b1taFiQ>