From: Chris Coulson <chris.coulson@canonical.com>
To: linux-integrity@vger.kernel.org
Cc: Chris Coulson <chris.coulson@canonical.com>,
linux-efi@vger.kernel.org, Peter Huewe <peterhuewe@gmx.de>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Jason Gunthorpe <jgg@ziepe.ca>,
Matthew Garrett <mjg59@google.com>,
Bartosz Szczepanek <bsz@semihalf.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
linux-kernel@vger.kernel.org
Subject: [PATCH 1/1] tpm: Don't dereference event after it's unmapped in __calc_tpm2_event_size
Date: Wed, 5 Jun 2019 00:04:33 +0100 [thread overview]
Message-ID: <20190604230433.20936-2-chris.coulson@canonical.com> (raw)
In-Reply-To: <20190604230433.20936-1-chris.coulson@canonical.com>
The pointer to the event header is dereferenced on each loop iteration in
order to obtain the digest count, but when called from
tpm2_calc_event_log_size, the event header is unmapped on the first
iteration of the loop. This results in an invalid access for on subsequent
loop iterations for log entries that have more than one digest.
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
---
include/linux/tpm_eventlog.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h
index 63238c84dc0b..7b76abbff7d8 100644
--- a/include/linux/tpm_eventlog.h
+++ b/include/linux/tpm_eventlog.h
@@ -165,6 +165,7 @@ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event,
int mapping_size;
void *marker;
void *marker_start;
+ u32 count;
u32 halg_size;
size_t size;
u16 halg;
@@ -190,16 +191,17 @@ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event,
}
event = (struct tcg_pcr_event2_head *)mapping;
+ count = event->count;
efispecid = (struct tcg_efi_specid_event_head *)event_header->event;
/* Check if event is malformed. */
- if (event->count > efispecid->num_algs) {
+ if (count > efispecid->num_algs) {
size = 0;
goto out;
}
- for (i = 0; i < event->count; i++) {
+ for (i = 0; i < count; i++) {
halg_size = sizeof(event->digests[i].alg_id);
/* Map the digest's algorithm identifier */
--
2.17.1
next prev parent reply other threads:[~2019-06-04 23:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-04 23:04 [PATCH 0/1] Fix crash in __calc_tpm2_event_size Chris Coulson
2019-06-04 23:04 ` Chris Coulson [this message]
2019-06-05 14:33 ` [PATCH 1/1] tpm: Don't dereference event after it's unmapped " Jarkko Sakkinen
2019-06-05 14:32 ` [PATCH 0/1] Fix crash " Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190604230433.20936-2-chris.coulson@canonical.com \
--to=chris.coulson@canonical.com \
--cc=ard.biesheuvel@linaro.org \
--cc=bsz@semihalf.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jgg@ziepe.ca \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mjg59@google.com \
--cc=peterhuewe@gmx.de \
--cc=roberto.sassu@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).