From owner-svn-src-all@freebsd.org  Tue Apr 16 02:28:36 2019
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C43BF158498F;
 Tue, 16 Apr 2019 02:28:36 +0000 (UTC) (envelope-from mw@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 6C6696E033;
 Tue, 16 Apr 2019 02:28:36 +0000 (UTC) (envelope-from mw@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 484D41918D;
 Tue, 16 Apr 2019 02:28:36 +0000 (UTC) (envelope-from mw@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x3G2Satd057158;
 Tue, 16 Apr 2019 02:28:36 GMT (envelope-from mw@FreeBSD.org)
Received: (from mw@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id x3G2SZIg057157;
 Tue, 16 Apr 2019 02:28:35 GMT (envelope-from mw@FreeBSD.org)
Message-Id: <201904160228.x3G2SZIg057157@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: mw set sender to mw@FreeBSD.org
 using -f
From: Marcin Wojtas <mw@FreeBSD.org>
Date: Tue, 16 Apr 2019 02:28:35 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r346259 - head/sys/dev/tpm
X-SVN-Group: head
X-SVN-Commit-Author: mw
X-SVN-Commit-Paths: head/sys/dev/tpm
X-SVN-Commit-Revision: 346259
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 6C6696E033
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-2.97 / 15.00];
 local_wl_from(0.00)[FreeBSD.org];
 NEURAL_HAM_MEDIUM(-1.00)[-0.999,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 NEURAL_HAM_SHORT(-0.97)[-0.974,0];
 ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2019 02:28:37 -0000

Author: mw
Date: Tue Apr 16 02:28:35 2019
New Revision: 346259
URL: https://svnweb.freebsd.org/changeset/base/346259

Log:
  tpm: Prevent session hijack
  
  Check caller thread id before allowing to read the buffer
  to make sure that it can only be accessed by the thread that
  did the associated write to the TPM.
  
  Submitted by: Kornel Duleba <mindal@semihalf.com>
  Reviewed by: delphij
  Obtained from: Semihalf
  Sponsored by: Stormshield
  Differential Revision: https://reviews.freebsd.org/D19713

Modified:
  head/sys/dev/tpm/tpm20.c
  head/sys/dev/tpm/tpm20.h

Modified: head/sys/dev/tpm/tpm20.c
==============================================================================
--- head/sys/dev/tpm/tpm20.c	Tue Apr 16 02:12:38 2019	(r346258)
+++ head/sys/dev/tpm/tpm20.c	Tue Apr 16 02:28:35 2019	(r346259)
@@ -77,6 +77,10 @@ tpm20_read(struct cdev *dev, struct uio *uio, int flag
 
 	callout_stop(&sc->discard_buffer_callout);
 	sx_xlock(&sc->dev_lock);
+	if (sc->owner_tid != uio->uio_td->td_tid) {
+		sx_xunlock(&sc->dev_lock);
+		return (EPERM);
+	}
 
 	bytes_to_transfer = MIN(sc->pending_data_length, uio->uio_resid);
 	if (bytes_to_transfer > 0) {
@@ -128,9 +132,11 @@ tpm20_write(struct cdev *dev, struct uio *uio, int fla
 
 	result = sc->transmit(sc, byte_count);
 
-	if (result == 0)
+	if (result == 0) {
 		callout_reset(&sc->discard_buffer_callout,
 		    TPM_READ_TIMEOUT / tick, tpm20_discard_buffer, sc);
+		sc->owner_tid = uio->uio_td->td_tid;
+	}
 
 	sx_xunlock(&sc->dev_lock);
 	return (result);

Modified: head/sys/dev/tpm/tpm20.h
==============================================================================
--- head/sys/dev/tpm/tpm20.h	Tue Apr 16 02:12:38 2019	(r346258)
+++ head/sys/dev/tpm/tpm20.h	Tue Apr 16 02:28:35 2019	(r346259)
@@ -120,6 +120,7 @@ struct tpm_sc {
 
 	uint8_t 	*buf;
 	size_t		pending_data_length;
+	lwpid_t		owner_tid;
 
 	struct callout 	discard_buffer_callout;
 #ifdef TPM_HARVEST