svn commit: r346259 - head/sys/dev/tpm
Marcin Wojtas
mw at FreeBSD.org
Tue Sep 3 14:06:59 UTC 2019
Author: mw
Date: Tue Apr 16 02:28:35 2019
New Revision: 346259
URL: https://svnweb.freebsd.org/changeset/base/346259
Log:
tpm: Prevent session hijack
Check caller thread id before allowing to read the buffer
to make sure that it can only be accessed by the thread that
did the associated write to the TPM.
Submitted by: Kornel Duleba <mindal at semihalf.com>
Reviewed by: delphij
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19713
Modified:
head/sys/dev/tpm/tpm20.c
head/sys/dev/tpm/tpm20.h
Modified: head/sys/dev/tpm/tpm20.c
==============================================================================
--- head/sys/dev/tpm/tpm20.c Tue Apr 16 02:12:38 2019 (r346258)
+++ head/sys/dev/tpm/tpm20.c Tue Apr 16 02:28:35 2019 (r346259)
@@ -77,6 +77,10 @@ tpm20_read(struct cdev *dev, struct uio *uio, int flag
callout_stop(&sc->discard_buffer_callout);
sx_xlock(&sc->dev_lock);
+ if (sc->owner_tid != uio->uio_td->td_tid) {
+ sx_xunlock(&sc->dev_lock);
+ return (EPERM);
+ }
bytes_to_transfer = MIN(sc->pending_data_length, uio->uio_resid);
if (bytes_to_transfer > 0) {
@@ -128,9 +132,11 @@ tpm20_write(struct cdev *dev, struct uio *uio, int fla
result = sc->transmit(sc, byte_count);
- if (result == 0)
+ if (result == 0) {
callout_reset(&sc->discard_buffer_callout,
TPM_READ_TIMEOUT / tick, tpm20_discard_buffer, sc);
+ sc->owner_tid = uio->uio_td->td_tid;
+ }
sx_xunlock(&sc->dev_lock);
return (result);
Modified: head/sys/dev/tpm/tpm20.h
==============================================================================
--- head/sys/dev/tpm/tpm20.h Tue Apr 16 02:12:38 2019 (r346258)
+++ head/sys/dev/tpm/tpm20.h Tue Apr 16 02:28:35 2019 (r346259)
@@ -120,6 +120,7 @@ struct tpm_sc {
uint8_t *buf;
size_t pending_data_length;
+ lwpid_t owner_tid;
struct callout discard_buffer_callout;
#ifdef TPM_HARVEST
More information about the svn-src-head
mailing list