[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 12/13] vtpmmgr: Check req_len before unpacking command

  • To: Jason Andryuk <jandryuk@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Date: Mon, 10 May 2021 09:32:46 -0400
  • Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx> header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620653571; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=9xMWfM5tlvBr2xlDpLPODs0gNfrcWEF781IuUBw4OM0=; b=m//DXoZqJKMC7uJ8oztbUM9l1Vo03wvNaOksXZ+7rBFgzw7VsTjuskU3IYnAB9bRMWY1ZzINLluBoiRnm4YRhcrcvnw/R9Xt+9nlhV3ddOKJIcZiUtZRIgslLgYvsReb/GFNKp7ODO77KWqcr/WWRoO9xHbPJwJxfyn8soyYyZ0=
  • Arc-seal: i=1; a=rsa-sha256; t=1620653571; cv=none; d=zohomail.com; s=zohoarc; b=CoY3RmdDdwfHi5Ak7OI9JEemzwHn8NUQf5lXRCIKO/B4IXgqSutKyu0bRAKFfvNKQSgOMy/Rp/uHS8+ixCHcKaExQnxtXmeKu3mgmKkibR14JnSnknKxBwOotNuS3oN5FmjC51qRrEr7M84ll7eZjfHdvE/i/XbrCmzhxuPJfjk=
  • Cc: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, Quan Xu <quan.xu0@xxxxxxxxx>, Samuel Thibault <samuel.thibault@xxxxxxxxxxxx>
  • Delivery-date: Mon, 10 May 2021 13:33:03 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 5/6/21 9:59 AM, Jason Andryuk wrote:
> vtpm_handle_cmd doesn't ensure there is enough space before unpacking
> the req buffer.  Add a minimum size check.  Called functions will have
> to do their own checking if they need more data from the request.
> 
> The error case is tricky since abort_egress wants to rely with a
> corresponding tag.  Just hardcode TPM_TAG_RQU_COMMAND since the vtpm is
> sending in malformed commands in the first place.
> 
> Signed-off-by: Jason Andryuk <jandryuk@xxxxxxxxx>
> ---

Reviewed-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>

>  stubdom/vtpmmgr/vtpm_cmd_handler.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/stubdom/vtpmmgr/vtpm_cmd_handler.c 
> b/stubdom/vtpmmgr/vtpm_cmd_handler.c
> index c879b24c13..5586be6997 100644
> --- a/stubdom/vtpmmgr/vtpm_cmd_handler.c
> +++ b/stubdom/vtpmmgr/vtpm_cmd_handler.c
> @@ -840,6 +840,12 @@ TPM_RESULT vtpmmgr_handle_cmd(
>       UINT32 size;
>       TPM_COMMAND_CODE ord;
>  
> +     if (tpmcmd->req_len < sizeof_TPM_RQU_HEADER(tpmcmd->req)) {
> +             status = TPM_BAD_PARAMETER;
> +             tag = TPM_TAG_RQU_COMMAND;
> +             goto abort_egress;
> +     }
> +
>       unpack_TPM_RQU_HEADER(tpmcmd->req,
>                       &tag, &size, &ord);
>  
>

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.