tpm: Prevent session hijack

Check caller thread id before allowing to read the buffer
to make sure that it can only be accessed by the thread that
did the associated write to the TPM.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: delphij
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19713

sys/dev/tpm/tpm20.c

@@ -77,6 +77,10 @@ tpm20_read(struct cdev *dev, struct uio *uio, int flags)
 
 	callout_stop(&sc->discard_buffer_callout);
 	sx_xlock(&sc->dev_lock);
+	if (sc->owner_tid != uio->uio_td->td_tid) {
+		sx_xunlock(&sc->dev_lock);
+		return (EPERM);
+	}
 
 	bytes_to_transfer = MIN(sc->pending_data_length, uio->uio_resid);
 	if (bytes_to_transfer > 0) {
@@ -128,9 +132,11 @@ tpm20_write(struct cdev *dev, struct uio *uio, int flags)
 
 	result = sc->transmit(sc, byte_count);
 
-	if (result == 0)
+	if (result == 0) {
 		callout_reset(&sc->discard_buffer_callout,
 		    TPM_READ_TIMEOUT / tick, tpm20_discard_buffer, sc);
+		sc->owner_tid = uio->uio_td->td_tid;
+	}
 
 	sx_xunlock(&sc->dev_lock);
 	return (result);

sys/dev/tpm/tpm20.h

@@ -120,6 +120,7 @@ struct tpm_sc {
 
 	uint8_t 	*buf;
 	size_t		pending_data_length;
+	lwpid_t		owner_tid;
 
 	struct callout 	discard_buffer_callout;
 #ifdef TPM_HARVEST