xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: "Daniel P. Smith" <dpsmith@apertussolutions.com>
To: Jason Andryuk <jandryuk@gmail.com>, xen-devel@lists.xenproject.org
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>,
	Quan Xu <quan.xu0@gmail.com>,
	Samuel Thibault <samuel.thibault@ens-lyon.org>
Subject: Re: [PATCH v2 12/13] vtpmmgr: Check req_len before unpacking command
Date: Mon, 10 May 2021 09:32:46 -0400	[thread overview]
Message-ID: <409ecf34-8f6b-4d12-4455-ef7fc1af4f75@apertussolutions.com> (raw)
In-Reply-To: <20210506135923.161427-13-jandryuk@gmail.com>

On 5/6/21 9:59 AM, Jason Andryuk wrote:
> vtpm_handle_cmd doesn't ensure there is enough space before unpacking
> the req buffer.  Add a minimum size check.  Called functions will have
> to do their own checking if they need more data from the request.
> 
> The error case is tricky since abort_egress wants to rely with a
> corresponding tag.  Just hardcode TPM_TAG_RQU_COMMAND since the vtpm is
> sending in malformed commands in the first place.
> 
> Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
> ---

Reviewed-by: Daniel P. Smith <dpsmith@apertussolutions.com>

>  stubdom/vtpmmgr/vtpm_cmd_handler.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/stubdom/vtpmmgr/vtpm_cmd_handler.c b/stubdom/vtpmmgr/vtpm_cmd_handler.c
> index c879b24c13..5586be6997 100644
> --- a/stubdom/vtpmmgr/vtpm_cmd_handler.c
> +++ b/stubdom/vtpmmgr/vtpm_cmd_handler.c
> @@ -840,6 +840,12 @@ TPM_RESULT vtpmmgr_handle_cmd(
>  	UINT32 size;
>  	TPM_COMMAND_CODE ord;
>  
> +	if (tpmcmd->req_len < sizeof_TPM_RQU_HEADER(tpmcmd->req)) {
> +		status = TPM_BAD_PARAMETER;
> +		tag = TPM_TAG_RQU_COMMAND;
> +		goto abort_egress;
> +	}
> +
>  	unpack_TPM_RQU_HEADER(tpmcmd->req,
>  			&tag, &size, &ord);
>  
> 



  parent reply	other threads:[~2021-05-10 13:33 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-06 13:59 [PATCH v2 00/13] vtpmmgr: Some fixes - still incomplete Jason Andryuk
2021-05-06 13:59 ` [PATCH v2 01/13] docs: Warn about incomplete vtpmmgr TPM 2.0 support Jason Andryuk
2021-05-06 13:59 ` [PATCH v2 02/13] vtpmmgr: Print error code to aid debugging Jason Andryuk
2021-05-06 13:59 ` [PATCH v2 03/13] stubom: newlib: Enable C99 formats for %z Jason Andryuk
2021-05-06 13:59 ` [PATCH v2 04/13] vtpmmgr: Allow specifying srk_handle for TPM2 Jason Andryuk
2021-05-06 21:35   ` Samuel Thibault
2021-05-10 11:56   ` Daniel P. Smith
2021-05-06 13:59 ` [PATCH v2 05/13] vtpmmgr: Move vtpmmgr_shutdown Jason Andryuk
2021-05-07 15:48   ` Daniel P. Smith
2021-05-06 13:59 ` [PATCH v2 06/13] vtpmmgr: Flush transient keys on shutdown Jason Andryuk
2021-05-10 12:12   ` Daniel P. Smith
2021-05-06 13:59 ` [PATCH v2 07/13] vtpmmgr: Flush all transient keys Jason Andryuk
2021-05-10 12:19   ` Daniel P. Smith
2021-05-06 13:59 ` [PATCH v2 08/13] vtpmmgr: Shutdown more gracefully Jason Andryuk
2021-05-06 14:04   ` Jason Andryuk
2021-05-10 12:42   ` Daniel P. Smith
2021-05-06 13:59 ` [PATCH v2 09/13] vtpmmgr: Support GetRandom passthrough on TPM 2.0 Jason Andryuk
2021-05-06 21:40   ` Samuel Thibault
2021-05-10 12:51   ` Daniel P. Smith
2021-05-06 13:59 ` [PATCH v2 10/13] vtpmmgr: Remove bogus cast from TPM2_GetRandom Jason Andryuk
2021-05-06 21:41   ` Samuel Thibault
2021-05-10 13:03   ` Daniel P. Smith
2021-05-06 13:59 ` [PATCH v2 11/13] vtpmmgr: Fix owner_auth & srk_auth parsing Jason Andryuk
2021-05-06 21:41   ` Samuel Thibault
2021-05-10 13:18   ` Daniel P. Smith
2021-05-06 13:59 ` [PATCH v2 12/13] vtpmmgr: Check req_len before unpacking command Jason Andryuk
2021-05-06 21:42   ` Samuel Thibault
2021-05-10 13:32   ` Daniel P. Smith [this message]
2021-05-06 13:59 ` [PATCH v2 13/13] vtpm: Correct timeout units and command duration Jason Andryuk
2021-05-06 21:52   ` Samuel Thibault
2021-05-10 13:40   ` Daniel P. Smith

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=409ecf34-8f6b-4d12-4455-ef7fc1af4f75@apertussolutions.com \
    --to=dpsmith@apertussolutions.com \
    --cc=dgdegra@tycho.nsa.gov \
    --cc=jandryuk@gmail.com \
    --cc=quan.xu0@gmail.com \
    --cc=samuel.thibault@ens-lyon.org \
    --cc=xen-devel@lists.xenproject.org \
    --subject='Re: [PATCH v2 12/13] vtpmmgr: Check req_len before unpacking command' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).