From owner-svn-src-all@freebsd.org  Tue Apr 16 15:31:35 2019
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 47FD01575B8F;
 Tue, 16 Apr 2019 15:31:35 +0000 (UTC)
 (envelope-from cse.cem@gmail.com)
Received: from mail-it1-f172.google.com (mail-it1-f172.google.com
 [209.85.166.172])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id DD6A16A760;
 Tue, 16 Apr 2019 15:31:34 +0000 (UTC)
 (envelope-from cse.cem@gmail.com)
Received: by mail-it1-f172.google.com with SMTP id x132so33678448itf.2;
 Tue, 16 Apr 2019 08:31:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:reply-to
 :from:date:message-id:subject:to:cc;
 bh=4sbyXwolrkHUV7cTHS3f1Y+K3pIcvwA6A8om3rlYO9s=;
 b=gehsSA5KYyDY06l83HIEO+Wug+yEsR1rzKd8oTHX7cNIKeJKSPm0ipReJ6KTu7TyBe
 XymzfLuk9Y3PHWtpkZMcu4auGHCav05hdGlexCbDab0ENDPYNWvFskT3+LpRQ44yJ27c
 ky0x9i/PJqCAy3PxsJxxyoq+SPBAaGK+lV8EWJ6pCUiX/2c3TqayVZfqVSONjsaVJVtn
 WQrW4ebFqyJMN/mvl7HYBNU16h72mswsO+ug4X4I9g5W69lEPB0V+mwYX7CC/0QUBqw5
 XkQQEE/VWTsbvGscVkkQ0NCmaSErt3tQCLg/iFP40yxt1bhD9V+kJzn48+afKj3/hs4d
 do9A==
X-Gm-Message-State: APjAAAVQ4p0TMuqMWymKlMqBmNLKMq2aEj4ravWCv2HrrrtPbJcnmE3G
 AKXdImGCwenKYesmHdhHAybBuo+m
X-Google-Smtp-Source: APXvYqzWqnkP3wAkMMlBCDd2UzLMI2o66rlAV8m7IBAg9l983ouUtR6BFQ6Tza6+mMp9ccJxsgNHmg==
X-Received: by 2002:a24:4e05:: with SMTP id r5mr29305996ita.63.1555428693722; 
 Tue, 16 Apr 2019 08:31:33 -0700 (PDT)
Received: from mail-it1-f176.google.com (mail-it1-f176.google.com.
 [209.85.166.176])
 by smtp.gmail.com with ESMTPSA id k18sm19741523iob.60.2019.04.16.08.31.33
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 16 Apr 2019 08:31:33 -0700 (PDT)
Received: by mail-it1-f176.google.com with SMTP id s3so18945116itk.1;
 Tue, 16 Apr 2019 08:31:33 -0700 (PDT)
X-Received: by 2002:a02:a399:: with SMTP id y25mr58476299jak.58.1555428693409; 
 Tue, 16 Apr 2019 08:31:33 -0700 (PDT)
MIME-Version: 1.0
References: <201904160228.x3G2SZIg057157@repo.freebsd.org>
In-Reply-To: <201904160228.x3G2SZIg057157@repo.freebsd.org>
Reply-To: cem@freebsd.org
From: Conrad Meyer <cem@freebsd.org>
Date: Tue, 16 Apr 2019 08:31:22 -0700
X-Gmail-Original-Message-ID: <CAG6CVpXPFhZU0SHXqKBS1S93S8EqYvTKH-fX+vo-_A=b1taFiQ@mail.gmail.com>
Message-ID: <CAG6CVpXPFhZU0SHXqKBS1S93S8EqYvTKH-fX+vo-_A=b1taFiQ@mail.gmail.com>
Subject: Re: svn commit: r346259 - head/sys/dev/tpm
To: Marcin Wojtas <mw@freebsd.org>
Cc: src-committers <src-committers@freebsd.org>,
 svn-src-all <svn-src-all@freebsd.org>, 
 svn-src-head <svn-src-head@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: DD6A16A760
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-6.99 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 NEURAL_HAM_SHORT(-0.99)[-0.990,0]; REPLY(-4.00)[];
 TAGGED_FROM(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2019 15:31:35 -0000

Hi Marcin,

Isn't this check racy?  Thread TIDs are allocated from a fixed range
and can be recycled.

Best,
Conrad

On Mon, Apr 15, 2019 at 7:28 PM Marcin Wojtas <mw@freebsd.org> wrote:
>
> Author: mw
> Date: Tue Apr 16 02:28:35 2019
> New Revision: 346259
> URL: https://svnweb.freebsd.org/changeset/base/346259
>
> Log:
>   tpm: Prevent session hijack
>
>   Check caller thread id before allowing to read the buffer
>   to make sure that it can only be accessed by the thread that
>   did the associated write to the TPM.
>
>   Submitted by: Kornel Duleba <mindal@semihalf.com>
>   Reviewed by: delphij
>   Obtained from: Semihalf
>   Sponsored by: Stormshield
>   Differential Revision: https://reviews.freebsd.org/D19713
>
> Modified:
>   head/sys/dev/tpm/tpm20.c
>   head/sys/dev/tpm/tpm20.h
>
> Modified: head/sys/dev/tpm/tpm20.c
> ==============================================================================
> --- head/sys/dev/tpm/tpm20.c    Tue Apr 16 02:12:38 2019        (r346258)
> +++ head/sys/dev/tpm/tpm20.c    Tue Apr 16 02:28:35 2019        (r346259)
> @@ -77,6 +77,10 @@ tpm20_read(struct cdev *dev, struct uio *uio, int flag
>
>         callout_stop(&sc->discard_buffer_callout);
>         sx_xlock(&sc->dev_lock);
> +       if (sc->owner_tid != uio->uio_td->td_tid) {
> +               sx_xunlock(&sc->dev_lock);
> +               return (EPERM);
> +       }
>
>         bytes_to_transfer = MIN(sc->pending_data_length, uio->uio_resid);
>         if (bytes_to_transfer > 0) {
> @@ -128,9 +132,11 @@ tpm20_write(struct cdev *dev, struct uio *uio, int fla
>
>         result = sc->transmit(sc, byte_count);
>
> -       if (result == 0)
> +       if (result == 0) {
>                 callout_reset(&sc->discard_buffer_callout,
>                     TPM_READ_TIMEOUT / tick, tpm20_discard_buffer, sc);
> +               sc->owner_tid = uio->uio_td->td_tid;
> +       }
>
>         sx_xunlock(&sc->dev_lock);
>         return (result);
>
> Modified: head/sys/dev/tpm/tpm20.h
> ==============================================================================
> --- head/sys/dev/tpm/tpm20.h    Tue Apr 16 02:12:38 2019        (r346258)
> +++ head/sys/dev/tpm/tpm20.h    Tue Apr 16 02:28:35 2019        (r346259)
> @@ -120,6 +120,7 @@ struct tpm_sc {
>
>         uint8_t         *buf;
>         size_t          pending_data_length;
> +       lwpid_t         owner_tid;
>
>         struct callout  discard_buffer_callout;
>  #ifdef TPM_HARVEST
>