On 01/09/2017 05:59 PM, Jarkko Sakkinen wrote:
> On Mon, Jan 09, 2017 at 01:09:31PM -0500, Stefan Berger wrote:
>> On 01/09/2017 11:05 AM, Jarkko Sakkinen wrote:
>>> On Thu, Jan 05, 2017 at 07:11:24AM -0500, Stefan Berger wrote:
>>>> Check the size of the response before accesing data in
>>>> the response packet. This is to avoid accessing data beyond
>>>> the end of the response.
>>>>
>>>> Signed-off-by: Stefan Berger <[email protected]>
>>> How on earth this could happen if we request only one property?
>> My test program vtpmctrl ( https://github.com/stefanberger/linux-vtpm-tests
>> ) didn't feed the kernel a proper response to a TPM command and that's why
>> this code blew up. We do have a very basic check in the driver and otherwise
>> assume that the TPM is a trusted device responding with an expected
>> response.
> Hmm.... I guess I could add this check but I'll have to probably
> do a similar check at least in one other place in this patch set
> where I grab the metadata for commands.
>
> I guess similar issues will arise as the virtual TPMs get more
> common. For now I think a good guideline is
>
> 1. For new code check that validation for message size is in place.
Before accessing data in the response, make sure we don't access beyond
the number of bytes returned.
> 2. Fix the old code as you bump into issus.
It doesn't look too bad. I would rebase my current patch on your master
tree and submit a few small other ones with it. Agrred?
Stefan
>
> /Jarkko
>
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
tpmdd-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
