diff options
| author | Kees Cook <keescook@chromium.org> | 2019-04-01 12:06:07 -0700 |
|---|---|---|
| committer | Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> | 2019-06-24 23:57:49 +0300 |
| commit | 782779b60faa2fc7ff609ac8ef938260fd792c0f (patch) | |
| tree | 56c4d8f22366f244910bd96c4ed6e1b6b553cc7d /include/linux/tpm_eventlog.h | |
| parent | c88e40e07cd967dcdf37321a63ab6e8b0d881100 (diff) | |
tpm: Actually fail on TPM errors during "get random"
A "get random" may fail with a TPM error, but those codes were returned
as-is to the caller, which assumed the result was the number of bytes
that had been written to the target buffer, which could lead to a kernel
heap memory exposure and over-read.
This fixes tpm1_get_random() to mask positive TPM errors into -EIO, as
before.
[ 18.092103] tpm tpm0: A TPM error (379) occurred attempting get random
[ 18.092106] usercopy: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64' (offset 0, size 379)!
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1650989
Reported-by: Phil Baker <baker1tex@gmail.com>
Reported-by: Craig Robson <craig@zhatt.com>
Fixes: 7aee9c52d7ac ("tpm: tpm1: rewrite tpm1_get_random() using tpm_buf structure")
Cc: Laura Abbott <labbott@redhat.com>
Cc: Tomas Winkler <tomas.winkler@intel.com>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Tomas Winkler <tomas.winkler@intel.com>
Tested-by: Bartosz Szczepanek <bsz@semihalf.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Diffstat (limited to 'include/linux/tpm_eventlog.h')
0 files changed, 0 insertions, 0 deletions