Hi
On Tue, Nov 20, 2018 at 11:24 AM P J P <ppan...@redhat.com> wrote:
>
> From: Prasad J Pandit <p...@fedoraproject.org>
>
> While performing mmio device r/w operations, guest could set 'addr'
> parameter such that 'locty' index exceeds TPM_TIS_NUM_LOCALITIES=5
> after setting new 'locty' via 'tpm_tis_new_active_locality'.
> Add check to avoid OOB access.
>
> Reported-by: Cheng Feng <ps...@huawei.com>
> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
> ---
> hw/tpm/tpm_tis.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> Update: add assert() calls
> -> https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg00912.html
>
> diff --git a/hw/tpm/tpm_tis.c b/hw/tpm/tpm_tis.c
> index 12f5c9a759..d6bf3ceb26 100644
> --- a/hw/tpm/tpm_tis.c
> +++ b/hw/tpm/tpm_tis.c
> @@ -293,6 +293,7 @@ static void tpm_tis_request_completed(TPMIf *ti, int ret)
> uint8_t locty = s->cmd.locty;
> uint8_t l;
>
> + assert(TPM_TIS_IS_VALID_LOCTY(locty));
> if (s->cmd.selftest_done) {
> for (l = 0; l < TPM_TIS_NUM_LOCALITIES; l++) {
> s->loc[locty].sts |= TPM_TIS_STS_SELFTEST_DONE;
> @@ -401,6 +402,7 @@ static uint64_t tpm_tis_mmio_read(void *opaque, hwaddr
> addr,
> uint32_t avail;
> uint8_t v;
>
> + assert(TPM_TIS_IS_VALID_LOCTY(locty));
This is probably not really helping,
Right after tpm_tis_locality_from_addr() you can expect IS_VALID_LOCTY
> if (tpm_backend_had_startup_error(s->be_driver)) {
> return 0;
> }
> @@ -523,6 +525,7 @@ static void tpm_tis_mmio_write(void *opaque, hwaddr addr,
> uint16_t len;
> uint32_t mask = (size == 1) ? 0xff : ((size == 2) ? 0xffff : ~0);
>
> + assert(TPM_TIS_IS_VALID_LOCTY(locty));
> trace_tpm_tis_mmio_write(size, addr, val);
>
> if (locty == 4) {
> @@ -642,7 +645,7 @@ static void tpm_tis_mmio_write(void *opaque, hwaddr addr,
> }
> }
>
> - if (set_new_locty) {
> + if (set_new_locty && TPM_TIS_IS_VALID_LOCTY(active_locty)) {
> tpm_tis_new_active_locality(s, active_locty);
> }
>
tpm_tis_new_active_locality() has explicit code handling for !IS_VALID_LOCTY.
> --
> 2.17.2
>
--
Marc-André Lureau
