mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-21 11:13:30 +00:00
Code Issues Releases Activity

tpm: Prevent session hijack

Browse Source 
Check caller thread id before allowing to read the buffer
to make sure that it can only be accessed by the thread that
did the associated write to the TPM.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: delphij
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19713
This commit is contained in:
Marcin Wojtas 2019-04-16 02:28:35 +00:00
parent 814f2cd84c
commit d68a65eabf
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=346259
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sys/dev/tpm/tpm20.c
View File

@ -77,6 +77,10 @@ tpm20_read(struct cdev *dev, struct uio *uio, int flags)
callout_stop(&sc->discard_buffer_callout);
sx_xlock(&sc->dev_lock);
if (sc->owner_tid != uio->uio_td->td_tid) {
sx_xunlock(&sc->dev_lock);
return (EPERM);
}
bytes_to_transfer = MIN(sc->pending_data_length, uio->uio_resid);
if (bytes_to_transfer > 0) {
@ -128,9 +132,11 @@ tpm20_write(struct cdev *dev, struct uio *uio, int flags)
result = sc->transmit(sc, byte_count);
if (result == 0)
if (result == 0) {
callout_reset(&sc->discard_buffer_callout,
TPM_READ_TIMEOUT / tick, tpm20_discard_buffer, sc);
sc->owner_tid = uio->uio_td->td_tid;
}
sx_xunlock(&sc->dev_lock);
return (result);

1
sys/dev/tpm/tpm20.h
View File

@ -120,6 +120,7 @@ struct tpm_sc {
uint8_t *buf;
size_t pending_data_length;
lwpid_t owner_tid;
struct callout discard_buffer_callout;
#ifdef TPM_HARVEST