Ana Sayfa Keşfet Yardım
Giriş Yap
GfA
/
linux_kernel
5
0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Kaynağa Gözat

tpm: vtpm_proxy: Prevent userspace from sending driver command

To prevent userspace from sending the TPM driver command to set
the locality, we need to check every command that is sent from
user space. To distinguish user space commands from internally
sent commands we introduce an additional state flag
STATE_DRIVER_COMMAND that is set while the driver sends this
command. Similar to the TPM 2 space commands we return an error
code when this command is detected.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Stefan Berger 8 yıl önce
ebeveyn
be4c9acfe2
işleme
d8b5d94538
1 değiştirilmiş dosya ile 33 ekleme ve 0 silme
Görünümü Böl Farklılık Durumunu Göster
  1. 33 0
      drivers/char/tpm/tpm_vtpm_proxy.c

+ 33 - 0
drivers/char/tpm/tpm_vtpm_proxy.c
Dosyayı Görüntüle 

@@ -43,6 +43,7 @@ struct proxy_dev {
 
 #define STATE_OPENED_FLAG        BIT(0)
 
 #define STATE_WAIT_RESPONSE_FLAG BIT(1)  /* waiting for emulator response */
 
 #define STATE_REGISTERED_FLAG	 BIT(2)
 
+#define STATE_DRIVER_COMMAND     BIT(3)  /* sending a driver specific command */
 
 
 	size_t req_len;              /* length of queued TPM request */
 
 	size_t resp_len;             /* length of queued TPM response */
 
@@ -299,6 +300,28 @@ out:
 
 	return len;
 
 }
 
 
+static int vtpm_proxy_is_driver_command(struct tpm_chip *chip,
 
+					u8 *buf, size_t count)
 
+{
 
+	struct tpm_input_header *hdr = (struct tpm_input_header *)buf;
 
+
 
+	if (count < sizeof(struct tpm_input_header))
 
+		return 0;
 
+
 
+	if (chip->flags & TPM_CHIP_FLAG_TPM2) {
 
+		switch (be32_to_cpu(hdr->ordinal)) {
 
+		case TPM2_CC_SET_LOCALITY:
 
+			return 1;
 
+		}
 
+	} else {
 
+		switch (be32_to_cpu(hdr->ordinal)) {
 
+		case TPM_ORD_SET_LOCALITY:
 
+			return 1;
 
+		}
 
+	}
 
+	return 0;
 
+}
 
+
 
 /*
 
  * Called when core TPM driver forwards TPM requests to 'server side'.
 
  *
 
@@ -321,6 +344,10 @@ static int vtpm_proxy_tpm_op_send(struct tpm_chip *chip, u8 *buf, size_t count)
 
 		return -EIO;
 
 	}
 
 
+	if (!(proxy_dev->state & STATE_DRIVER_COMMAND) &&
 
+	    vtpm_proxy_is_driver_command(chip, buf, count))
 
+		return -EFAULT;
 
+
 
 	mutex_lock(&proxy_dev->buf_lock);
 
 
 	if (!(proxy_dev->state & STATE_OPENED_FLAG)) {
 
@@ -376,6 +403,7 @@ static int vtpm_proxy_request_locality(struct tpm_chip *chip, int locality)
 
 	struct tpm_buf buf;
 
 	int rc;
 
 	const struct tpm_output_header *header;
 
+	struct proxy_dev *proxy_dev = dev_get_drvdata(&chip->dev);
 
 
 	if (chip->flags & TPM_CHIP_FLAG_TPM2)
 
 		rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS,
 
@@ -387,9 +415,14 @@ static int vtpm_proxy_request_locality(struct tpm_chip *chip, int locality)
 
 		return rc;
 
 	tpm_buf_append_u8(&buf, locality);
 
 
+	proxy_dev->state |= STATE_DRIVER_COMMAND;
 
+
 
 	rc = tpm_transmit_cmd(chip, NULL, buf.data, tpm_buf_length(&buf), 0,
 
 			      TPM_TRANSMIT_UNLOCKED | TPM_TRANSMIT_RAW,
 
 			      "attempting to set locality");
 
+
 
+	proxy_dev->state &= ~STATE_DRIVER_COMMAND;
 
+
 
 	if (rc < 0) {
 
 		locality = rc;
 
 		goto out;