linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Linus Torvalds <torvalds@linux-foundation.org>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: tomas.winkler@intel.com, Jason Gunthorpe <jgg@ziepe.ca>,
	James Bottomley <James.Bottomley@hansenpartnership.com>,
	linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	Linux List Kernel Mailing <linux-kernel@vger.kernel.org>
Subject: Re: Getting weird TPM error after rebasing my tree to security/next-general
Date: Thu, 31 Jan 2019 10:51:03 -0800	[thread overview]
Message-ID: <CAHk-=wj0pRLS9Z+_LKfiTvnnquGQjOySVuqiObC9sDXp8SCP0A@mail.gmail.com> (raw)
In-Reply-To: <20190131183530.GA27112@linux.intel.com>

On Thu, Jan 31, 2019 at 10:35 AM Jarkko Sakkinen
<jarkko.sakkinen@linux.intel.com> wrote:
>
> OK, so the length of the response is not trashed, but only the error
> code. The attached patch fully fixes the issue.
>
> Here's the header again:
>
> struct tpm_output_header {
>         __be16  tag;
>         __be32  length;
>         __be32  return_code;
> } __packed;
>
> The first to fields *are* read correctly and the last field get 1's
> (thus TPM error -1).

Ok, so this makes sense, even though that patch is (I think) completely wrong.

What happens is that the 32-bit fields are mis-aligned: the "tag" is
obviously properly 16-bit aligned, but then both "length" and
"return_code" are 32-bit fields that are only aligned on a 16-bit
alignment.

What happens is that first you copy the two first fields:

        memcpy_fromio(buf, priv->rsp, 6);

which copies "tag" and "length", but it copies them by reading then as
a 4-byte and then 2-byte value (in that order). So it actually reads
'tag' and 'first two bytes of 'length', and then the second access
reads the last two bytes of 'length'

And it all works, because the accesses are aligned by address of
access, even though they are *not* aligned in the 'struct
tpm_output_header' fields.

But then later on, when you read 'return_code', and do

        memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6);

you now do a 4-byte memcpy at offset 6. So it does a 4-byte access,
bit it's not 4-byte aligned.

Honestly, memcpy() itself shouldn't have worked *either*, but you
lucked out. Gcc doesn't know that it's a 4-byte access, so it actually
calls out to the memcpy() routine. And that one happened to be "rep
movsb" on your machine. And that happened to work.

But it's really not supposed to work, and it really *wouldn't* have
worked if somebody disabled the rep-string functions.

In fact, we have another patch (that isn't applied) that makes even
the memcpy_erms() just call the sw version of memcpy() for short
copies (because "rep movsb" is slow for those cases). That would also
have broken your driver.

               Linus

  reply	other threads:[~2019-01-31 18:51 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-18 14:25 Getting weird TPM error after rebasing my tree to security/next-general Jarkko Sakkinen
2019-01-18 22:09 ` James Bottomley
2019-01-20 16:04   ` Jarkko Sakkinen
2019-01-22  1:02     ` Jarkko Sakkinen
2019-01-22  2:58       ` Jason Gunthorpe
2019-01-22 13:29         ` Jarkko Sakkinen
2019-01-22 18:26           ` Linus Torvalds
2019-01-23 15:36             ` Jarkko Sakkinen
2019-01-23 18:43               ` Linus Torvalds
2019-01-29 13:20                 ` Jarkko Sakkinen
2019-01-31 12:26                   ` Jarkko Sakkinen
2019-01-31 16:04                     ` Jarkko Sakkinen
2019-01-31 17:06                       ` Jarkko Sakkinen
2019-01-31 17:43                         ` Linus Torvalds
2019-01-31 18:47                           ` Jarkko Sakkinen
2019-01-31 18:35                         ` Jarkko Sakkinen
2019-01-31 18:51                           ` Linus Torvalds [this message]
2019-01-31 18:52                             ` Linus Torvalds
2019-01-31 19:10                               ` Linus Torvalds
2019-01-31 19:47                                 ` Winkler, Tomas
2019-02-01  8:12                                   ` Jarkko Sakkinen
2019-01-31 20:07                                 ` Winkler, Tomas
2019-01-31 20:47                                 ` Jarkko Sakkinen
2019-01-31 21:58                                   ` Linus Torvalds
2019-01-31 23:31                                     ` Jerry Snitselaar
2019-02-01 11:40                                       ` Jarkko Sakkinen
2019-01-31 20:45                             ` Jarkko Sakkinen
2019-02-01 18:04                               ` Linus Torvalds
2019-02-04 11:58                                 ` Jarkko Sakkinen
2019-01-23 20:11               ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHk-=wj0pRLS9Z+_LKfiTvnnquGQjOySVuqiObC9sDXp8SCP0A@mail.gmail.com' \
    --to=torvalds@linux-foundation.org \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=jgg@ziepe.ca \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=tomas.winkler@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).