svn commit: r346259 - head/sys/dev/tpm

Conrad Meyer cem at freebsd.org
Tue Sep 3 14:07:04 UTC 2019 

Hi Marcin,

Isn't this check racy?  Thread TIDs are allocated from a fixed range
and can be recycled.

Best,
Conrad

On Mon, Apr 15, 2019 at 7:28 PM Marcin Wojtas <mw at freebsd.org> wrote:
>
> Author: mw
> Date: Tue Apr 16 02:28:35 2019
> New Revision: 346259
> URL: https://svnweb.freebsd.org/changeset/base/346259
>
> Log:
>   tpm: Prevent session hijack
>
>   Check caller thread id before allowing to read the buffer
>   to make sure that it can only be accessed by the thread that
>   did the associated write to the TPM.
>
>   Submitted by: Kornel Duleba <mindal at semihalf.com>
>   Reviewed by: delphij
>   Obtained from: Semihalf
>   Sponsored by: Stormshield
>   Differential Revision: https://reviews.freebsd.org/D19713
>
> Modified:
>   head/sys/dev/tpm/tpm20.c
>   head/sys/dev/tpm/tpm20.h
>
> Modified: head/sys/dev/tpm/tpm20.c
> ==============================================================================
> --- head/sys/dev/tpm/tpm20.c    Tue Apr 16 02:12:38 2019        (r346258)
> +++ head/sys/dev/tpm/tpm20.c    Tue Apr 16 02:28:35 2019        (r346259)
> @@ -77,6 +77,10 @@ tpm20_read(struct cdev *dev, struct uio *uio, int flag
>
>         callout_stop(&sc->discard_buffer_callout);
>         sx_xlock(&sc->dev_lock);
> +       if (sc->owner_tid != uio->uio_td->td_tid) {
> +               sx_xunlock(&sc->dev_lock);
> +               return (EPERM);
> +       }
>
>         bytes_to_transfer = MIN(sc->pending_data_length, uio->uio_resid);
>         if (bytes_to_transfer > 0) {
> @@ -128,9 +132,11 @@ tpm20_write(struct cdev *dev, struct uio *uio, int fla
>
>         result = sc->transmit(sc, byte_count);
>
> -       if (result == 0)
> +       if (result == 0) {
>                 callout_reset(&sc->discard_buffer_callout,
>                     TPM_READ_TIMEOUT / tick, tpm20_discard_buffer, sc);
> +               sc->owner_tid = uio->uio_td->td_tid;
> +       }
>
>         sx_xunlock(&sc->dev_lock);
>         return (result);
>
> Modified: head/sys/dev/tpm/tpm20.h
> ==============================================================================
> --- head/sys/dev/tpm/tpm20.h    Tue Apr 16 02:12:38 2019        (r346258)
> +++ head/sys/dev/tpm/tpm20.h    Tue Apr 16 02:28:35 2019        (r346259)
> @@ -120,6 +120,7 @@ struct tpm_sc {
>
>         uint8_t         *buf;
>         size_t          pending_data_length;
> +       lwpid_t         owner_tid;
>
>         struct callout  discard_buffer_callout;
>  #ifdef TPM_HARVEST
>

More information about the svn-src-head mailing list