Re: [Qemu-devel] [PATCH v1] tpm: check localities index

Tue, 20 Nov 2018 03:24:56 -0800 

Hi

On Tue, Nov 20, 2018 at 12:02 PM Marc-André Lureau
<marcandre.lur...@gmail.com> wrote:
>
> Hi
>
> On Tue, Nov 20, 2018 at 11:24 AM P J P <ppan...@redhat.com> wrote:
> >
> > From: Prasad J Pandit <p...@fedoraproject.org>
> >
> > While performing mmio device r/w operations, guest could set 'addr'
> > parameter such that 'locty' index exceeds TPM_TIS_NUM_LOCALITIES=5
> > after setting new 'locty' via 'tpm_tis_new_active_locality'.
> > Add check to avoid OOB access.
> >
> > Reported-by: Cheng Feng <ps...@huawei.com>
> > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
> > ---
> >  hw/tpm/tpm_tis.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > Update: add assert() calls
> >   -> https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg00912.html
> >
> > diff --git a/hw/tpm/tpm_tis.c b/hw/tpm/tpm_tis.c
> > index 12f5c9a759..d6bf3ceb26 100644
> > --- a/hw/tpm/tpm_tis.c
> > +++ b/hw/tpm/tpm_tis.c
> > @@ -293,6 +293,7 @@ static void tpm_tis_request_completed(TPMIf *ti, int 
> > ret)
> >      uint8_t locty = s->cmd.locty;
> >      uint8_t l;
> >
> > +    assert(TPM_TIS_IS_VALID_LOCTY(locty));
> >      if (s->cmd.selftest_done) {
> >          for (l = 0; l < TPM_TIS_NUM_LOCALITIES; l++) {
> >              s->loc[locty].sts |= TPM_TIS_STS_SELFTEST_DONE;
> > @@ -401,6 +402,7 @@ static uint64_t tpm_tis_mmio_read(void *opaque, hwaddr 
> > addr,
> >      uint32_t avail;
> >      uint8_t v;
> >
> > +    assert(TPM_TIS_IS_VALID_LOCTY(locty));
>
> This is probably not really helping,
> Right after tpm_tis_locality_from_addr() you can expect IS_VALID_LOCTY

unless, the mmio memory range is made bigger, (which is unlikely).
But this may be enough to justify the additional assert().

>
>
> >      if (tpm_backend_had_startup_error(s->be_driver)) {
> >          return 0;
> >      }
> > @@ -523,6 +525,7 @@ static void tpm_tis_mmio_write(void *opaque, hwaddr 
> > addr,
> >      uint16_t len;
> >      uint32_t mask = (size == 1) ? 0xff : ((size == 2) ? 0xffff : ~0);
> >
> > +    assert(TPM_TIS_IS_VALID_LOCTY(locty));
> >      trace_tpm_tis_mmio_write(size, addr, val);
> >
> >      if (locty == 4) {
> > @@ -642,7 +645,7 @@ static void tpm_tis_mmio_write(void *opaque, hwaddr 
> > addr,
> >              }
> >          }
> >
> > -        if (set_new_locty) {
> > +        if (set_new_locty && TPM_TIS_IS_VALID_LOCTY(active_locty)) {
> >              tpm_tis_new_active_locality(s, active_locty);
> >          }
> >
>
> tpm_tis_new_active_locality() has explicit code handling for !IS_VALID_LOCTY.
>
> > --
> > 2.17.2
> >
>
>
> --
> Marc-André Lureau



-- 
Marc-André Lureau

Reply via email to