1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
|
From patchwork Wed Sep 25 17:27:05 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jerry Snitselaar <jsnitsel@redhat.com>
X-Patchwork-Id: 11161161
Return-Path: <SRS0=gTbe=XU=vger.kernel.org=linux-integrity-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
[172.30.200.123])
by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 88B8A1747
for <patchwork-linux-integrity@patchwork.kernel.org>;
Wed, 25 Sep 2019 17:27:13 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
by mail.kernel.org (Postfix) with ESMTP id 66F4F217F4
for <patchwork-linux-integrity@patchwork.kernel.org>;
Wed, 25 Sep 2019 17:27:13 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S2505171AbfIYR1J (ORCPT
<rfc822;patchwork-linux-integrity@patchwork.kernel.org>);
Wed, 25 Sep 2019 13:27:09 -0400
Received: from mx1.redhat.com ([209.132.183.28]:41496 "EHLO mx1.redhat.com"
rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
id S2505170AbfIYR1J (ORCPT <rfc822;linux-integrity@vger.kernel.org>);
Wed, 25 Sep 2019 13:27:09 -0400
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
[10.5.11.22])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mx1.redhat.com (Postfix) with ESMTPS id 4CE7C1056FB1;
Wed, 25 Sep 2019 17:27:08 +0000 (UTC)
Received: from cantor.redhat.com (ovpn-117-191.phx2.redhat.com [10.3.117.191])
by smtp.corp.redhat.com (Postfix) with ESMTP id D081B1001B12;
Wed, 25 Sep 2019 17:27:07 +0000 (UTC)
From: Jerry Snitselaar <jsnitsel@redhat.com>
To: linux-efi@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
stable@vger.kernel.org, Matthew Garrett <mjg59@google.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Subject: [PATCH v3] tpm: only set efi_tpm_final_log_size after successful
event log parsing
Date: Wed, 25 Sep 2019 10:27:05 -0700
Message-Id: <20190925172705.17358-1-jsnitsel@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Greylist: Sender IP whitelisted,
not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.64]);
Wed, 25 Sep 2019 17:27:08 +0000 (UTC)
Sender: linux-integrity-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-integrity.vger.kernel.org>
X-Mailing-List: linux-integrity@vger.kernel.org
If __calc_tpm2_event_size fails to parse an event it will return 0,
resulting tpm2_calc_event_log_size returning -1. Currently there is
no check of this return value, and efi_tpm_final_log_size can end up
being set to this negative value resulting in a panic like the
the one given below.
Also __calc_tpm2_event_size returns a size of 0 when it fails
to parse an event, so update function documentation to reflect this.
[ 0.774340] BUG: unable to handle page fault for address: ffffbc8fc00866ad
[ 0.774788] #PF: supervisor read access in kernel mode
[ 0.774788] #PF: error_code(0x0000) - not-present page
[ 0.774788] PGD 107d36067 P4D 107d36067 PUD 107d37067 PMD 107d38067 PTE 0
[ 0.774788] Oops: 0000 [#1] SMP PTI
[ 0.774788] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.3.0-0.rc2.1.elrdy.x86_64 #1
[ 0.774788] Hardware name: LENOVO 20HGS22D0W/20HGS22D0W, BIOS N1WET51W (1.30 ) 09/14/2018
[ 0.774788] RIP: 0010:memcpy_erms+0x6/0x10
[ 0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
[ 0.774788] RSP: 0000:ffffbc8fc0073b30 EFLAGS: 00010286
[ 0.774788] RAX: ffff9b1fc7c5b367 RBX: ffff9b1fc8390000 RCX: ffffffffffffe962
[ 0.774788] RDX: ffffffffffffe962 RSI: ffffbc8fc00866ad RDI: ffff9b1fc7c5b367
[ 0.774788] RBP: ffff9b1c10ca7018 R08: ffffbc8fc0085fff R09: 8000000000000063
[ 0.774788] R10: 0000000000001000 R11: 000fffffffe00000 R12: 0000000000003367
[ 0.774788] R13: ffff9b1fcc47c010 R14: ffffbc8fc0085000 R15: 0000000000000002
[ 0.774788] FS: 0000000000000000(0000) GS:ffff9b1fce200000(0000) knlGS:0000000000000000
[ 0.774788] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.774788] CR2: ffffbc8fc00866ad CR3: 000000029f60a001 CR4: 00000000003606f0
[ 0.774788] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 0.774788] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 0.774788] Call Trace:
[ 0.774788] tpm_read_log_efi+0x156/0x1a0
[ 0.774788] tpm_bios_log_setup+0xc8/0x190
[ 0.774788] tpm_chip_register+0x50/0x1c0
[ 0.774788] tpm_tis_core_init.cold.9+0x28c/0x466
[ 0.774788] tpm_tis_plat_probe+0xcc/0xea
[ 0.774788] platform_drv_probe+0x35/0x80
[ 0.774788] really_probe+0xef/0x390
[ 0.774788] driver_probe_device+0xb4/0x100
[ 0.774788] device_driver_attach+0x4f/0x60
[ 0.774788] __driver_attach+0x86/0x140
[ 0.774788] ? device_driver_attach+0x60/0x60
[ 0.774788] bus_for_each_dev+0x76/0xc0
[ 0.774788] ? klist_add_tail+0x3b/0x70
[ 0.774788] bus_add_driver+0x14a/0x1e0
[ 0.774788] ? tpm_init+0xea/0xea
[ 0.774788] ? do_early_param+0x8e/0x8e
[ 0.774788] driver_register+0x6b/0xb0
[ 0.774788] ? tpm_init+0xea/0xea
[ 0.774788] init_tis+0x86/0xd8
[ 0.774788] ? do_early_param+0x8e/0x8e
[ 0.774788] ? driver_register+0x94/0xb0
[ 0.774788] do_one_initcall+0x46/0x1e4
[ 0.774788] ? do_early_param+0x8e/0x8e
[ 0.774788] kernel_init_freeable+0x199/0x242
[ 0.774788] ? rest_init+0xaa/0xaa
[ 0.774788] kernel_init+0xa/0x106
[ 0.774788] ret_from_fork+0x35/0x40
[ 0.774788] Modules linked in:
[ 0.774788] CR2: ffffbc8fc00866ad
[ 0.774788] ---[ end trace 42930799f8d6eaea ]---
[ 0.774788] RIP: 0010:memcpy_erms+0x6/0x10
[ 0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
[ 0.774788] RSP: 0000:ffffbc8fc0073b30 EFLAGS: 00010286
[ 0.774788] RAX: ffff9b1fc7c5b367 RBX: ffff9b1fc8390000 RCX: ffffffffffffe962
[ 0.774788] RDX: ffffffffffffe962 RSI: ffffbc8fc00866ad RDI: ffff9b1fc7c5b367
[ 0.774788] RBP: ffff9b1c10ca7018 R08: ffffbc8fc0085fff R09: 8000000000000063
[ 0.774788] R10: 0000000000001000 R11: 000fffffffe00000 R12: 0000000000003367
[ 0.774788] R13: ffff9b1fcc47c010 R14: ffffbc8fc0085000 R15: 0000000000000002
[ 0.774788] FS: 0000000000000000(0000) GS:ffff9b1fce200000(0000) knlGS:0000000000000000
[ 0.774788] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.774788] CR2: ffffbc8fc00866ad CR3: 000000029f60a001 CR4: 00000000003606f0
[ 0.774788] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 0.774788] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 0.774788] Kernel panic - not syncing: Fatal exception
[ 0.774788] Kernel Offset: 0x1d000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 0.774788] ---[ end Kernel panic - not syncing: Fatal exception ]---
The root cause of the issue that caused the failure of event parsing
in this case is resolved by Peter Jone's patchset dealing with large
event logs where crossing over a page boundary causes the page with
the event count to be unmapped.
Fixes: c46f3405692de ("tpm: Reserve the TPM final events table")
Cc: linux-efi@vger.kernel.org
Cc: linux-integrity@vger.kernel.org
Cc: stable@vger.kernel.org
Cc: Matthew Garrett <mjg59@google.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
Reviewed-by: <jarkko.sakkinen@linux.intel.com>
---
v3: rebase on top of Peter Jone's patchset
v2: added FW_BUG to pr_err, and renamed label to out_calc.
Updated doc comment for __calc_tpm2_event_size.
drivers/firmware/efi/tpm.c | 9 ++++++++-
include/linux/tpm_eventlog.h | 2 +-
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c
index b9ae5c6f9b9c..703469c1ab8e 100644
--- a/drivers/firmware/efi/tpm.c
+++ b/drivers/firmware/efi/tpm.c
@@ -85,11 +85,18 @@ int __init efi_tpm_eventlog_init(void)
final_tbl->nr_events,
log_tbl->log);
}
+
+ if (tbl_size < 0) {
+ pr_err(FW_BUG "Failed to parse event in TPM Final Events Log\n");
+ goto out_calc;
+ }
+
memblock_reserve((unsigned long)final_tbl,
tbl_size + sizeof(*final_tbl));
- early_memunmap(final_tbl, sizeof(*final_tbl));
efi_tpm_final_log_size = tbl_size;
+out_calc:
+ early_memunmap(final_tbl, sizeof(*final_tbl));
out:
early_memunmap(log_tbl, sizeof(*log_tbl));
return ret;
diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h
index 12584b69a3f3..2dfdd63ac034 100644
--- a/include/linux/tpm_eventlog.h
+++ b/include/linux/tpm_eventlog.h
@@ -152,7 +152,7 @@ struct tcg_algorithm_info {
* total. Once we've done this we know the offset of the data length field,
* and can calculate the total size of the event.
*
- * Return: size of the event on success, <0 on failure
+ * Return: size of the event on success, 0 on failure
*/
static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event,
|
