[PATCH 0/3] Fixes for v4.4-rc1

[PATCH 0/3] Fixes for v4.4-rc1

[Jarkko Sakkinen]

Critical bug fixes for v4.4-rc1.

Christophe JAILLET (1):
  TPM: Avoid reference to potentially freed memory

Jarkko Sakkinen (2):
  TPM: revert the list handling logic fixed in 398a1e7
  tpm: fix missing migratable flag in sealing functionality for TPM2

 drivers/char/tpm/tpm-chip.c |  2 +-
 drivers/char/tpm/tpm2-cmd.c | 15 ++++++++++-----
 drivers/char/tpm/tpm_of.c   |  3 ++-
 3 files changed, 13 insertions(+), 7 deletions(-)

-- 
2.5.0

[PATCH 1/3] TPM: Avoid reference to potentially freed memory

[Jarkko Sakkinen]

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

Reference to the 'np' node is dropped before dereferencing the 'sizep' and
'basep' pointers, which could by then point to junk if the node has been
freed.

Refactor code to call 'of_node_put' later.

Fixes: c5df39262dd5 ("drivers/char/tpm: Add securityfs support for event log")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
 drivers/char/tpm/tpm_of.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/char/tpm/tpm_of.c b/drivers/char/tpm/tpm_of.c
index 1141456..570f30c 100644
--- a/drivers/char/tpm/tpm_of.c
+++ b/drivers/char/tpm/tpm_of.c
@@ -53,17 +53,18 @@ int read_log(struct tpm_bios_log *log)
 		goto cleanup_eio;
 	}
 
-	of_node_put(np);
 	log->bios_event_log = kmalloc(*sizep, GFP_KERNEL);
 	if (!log->bios_event_log) {
 		pr_err("%s: ERROR - Not enough memory for BIOS measurements\n",
 		       __func__);
+		of_node_put(np);
 		return -ENOMEM;
 	}
 
 	log->bios_event_log_end = log->bios_event_log + *sizep;
 
 	memcpy(log->bios_event_log, __va(*basep), *sizep);
+	of_node_put(np);
 
 	return 0;
 
-- 
2.5.0

[PATCH 2/3] TPM: revert the list handling logic fixed in 398a1e7

[Jarkko Sakkinen]

Mimi reported that afb5abc reverts the fix in 398a1e7. This patch
reverts it back.

Fixes: afb5abc262e9 ("tpm: two-phase chip management functions")
Reported-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
 drivers/char/tpm/tpm-chip.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index f26b0ae..a5cdce7 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -236,7 +236,7 @@ int tpm_chip_register(struct tpm_chip *chip)
 
 	/* Make the chip available. */
 	spin_lock(&driver_lock);
-	list_add_rcu(&chip->list, &tpm_chip_list);
+	list_add_tail_rcu(&chip->list, &tpm_chip_list);
 	spin_unlock(&driver_lock);
 
 	chip->flags |= TPM_CHIP_FLAG_REGISTERED;
-- 
2.5.0

[PATCH 3/3] tpm: fix missing migratable flag in sealing functionality for TPM2

[Jarkko Sakkinen]

The 'migratable' flag was not added to the key payload. This patch
fixes the problem.

Fixes: 0fe5480303a1 ("keys, trusted: seal/unseal with TPM 2.0 chips")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
 drivers/char/tpm/tpm2-cmd.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index bd7039f..c121304 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -443,12 +443,13 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
 			     TPM_DIGEST_SIZE);
 
 	/* sensitive */
-	tpm_buf_append_u16(&buf, 4 + TPM_DIGEST_SIZE + payload->key_len);
+	tpm_buf_append_u16(&buf, 4 + TPM_DIGEST_SIZE + payload->key_len + 1);
 
 	tpm_buf_append_u16(&buf, TPM_DIGEST_SIZE);
 	tpm_buf_append(&buf, options->blobauth, TPM_DIGEST_SIZE);
-	tpm_buf_append_u16(&buf, payload->key_len);
+	tpm_buf_append_u16(&buf, payload->key_len + 1);
 	tpm_buf_append(&buf, payload->key, payload->key_len);
+	tpm_buf_append_u8(&buf, payload->migratable);
 
 	/* public */
 	tpm_buf_append_u16(&buf, 14);
@@ -573,6 +574,8 @@ static int tpm2_unseal(struct tpm_chip *chip,
 		       u32 blob_handle)
 {
 	struct tpm_buf buf;
+	u16 data_len;
+	u8 *data;
 	int rc;
 
 	rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_UNSEAL);
@@ -591,11 +594,13 @@ static int tpm2_unseal(struct tpm_chip *chip,
 		rc = -EPERM;
 
 	if (!rc) {
-		payload->key_len = be16_to_cpup(
+		data_len = be16_to_cpup(
 			(__be16 *) &buf.data[TPM_HEADER_SIZE + 4]);
+		data = &buf.data[TPM_HEADER_SIZE + 6];
 
-		memcpy(payload->key, &buf.data[TPM_HEADER_SIZE + 6],
-		       payload->key_len);
+		memcpy(payload->key, data, data_len - 1);
+		payload->key_len = data_len - 1;
+		payload->migratable = data[data_len - 1];
 	}
 
 	tpm_buf_destroy(&buf);
-- 
2.5.0

Re: [PATCH 3/3] tpm: fix missing migratable flag in sealing functionality for TPM2

[Jarkko Sakkinen]

Hi

Other fixes are ready for the pull request but for this patch peer
check might be useful.

I'm anyway sending the pull request with the five pull patches over
here even if I don't get 'Tested-by:':

https://github.com/jsakkine/linux-tpmdd/commits/fixes

I've tested this patch with fTPM and dTPM and it does not have any
side-effects to TPM 1.2.

/Jarkko

On Thu, Nov 05, 2015 at 12:20:23PM +0200, Jarkko Sakkinen wrote:
> The 'migratable' flag was not added to the key payload. This patch
> fixes the problem.
> 
> Fixes: 0fe5480303a1 ("keys, trusted: seal/unseal with TPM 2.0 chips")
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> ---
>  drivers/char/tpm/tpm2-cmd.c | 15 ++++++++++-----
>  1 file changed, 10 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index bd7039f..c121304 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -443,12 +443,13 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
>  			     TPM_DIGEST_SIZE);
>  
>  	/* sensitive */
> -	tpm_buf_append_u16(&buf, 4 + TPM_DIGEST_SIZE + payload->key_len);
> +	tpm_buf_append_u16(&buf, 4 + TPM_DIGEST_SIZE + payload->key_len + 1);
>  
>  	tpm_buf_append_u16(&buf, TPM_DIGEST_SIZE);
>  	tpm_buf_append(&buf, options->blobauth, TPM_DIGEST_SIZE);
> -	tpm_buf_append_u16(&buf, payload->key_len);
> +	tpm_buf_append_u16(&buf, payload->key_len + 1);
>  	tpm_buf_append(&buf, payload->key, payload->key_len);
> +	tpm_buf_append_u8(&buf, payload->migratable);
>  
>  	/* public */
>  	tpm_buf_append_u16(&buf, 14);
> @@ -573,6 +574,8 @@ static int tpm2_unseal(struct tpm_chip *chip,
>  		       u32 blob_handle)
>  {
>  	struct tpm_buf buf;
> +	u16 data_len;
> +	u8 *data;
>  	int rc;
>  
>  	rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_UNSEAL);
> @@ -591,11 +594,13 @@ static int tpm2_unseal(struct tpm_chip *chip,
>  		rc = -EPERM;
>  
>  	if (!rc) {
> -		payload->key_len = be16_to_cpup(
> +		data_len = be16_to_cpup(
>  			(__be16 *) &buf.data[TPM_HEADER_SIZE + 4]);
> +		data = &buf.data[TPM_HEADER_SIZE + 6];
>  
> -		memcpy(payload->key, &buf.data[TPM_HEADER_SIZE + 6],
> -		       payload->key_len);
> +		memcpy(payload->key, data, data_len - 1);
> +		payload->key_len = data_len - 1;
> +		payload->migratable = data[data_len - 1];
>  	}
>  
>  	tpm_buf_destroy(&buf);
> -- 
> 2.5.0
>