Re: [Qemu-devel] [PATCH v1] tpm: check localities index

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v1] tpm: check localities index

From:	P J P
Subject:	Re: [Qemu-devel] [PATCH v1] tpm: check localities index
Date:	Tue, 20 Nov 2018 23:36:29 +0530 (IST)

  Hello Stefan,

+-- On Tue, 20 Nov 2018, Stefan Berger wrote --+
| On 11/20/18 2:22 AM, P J P wrote:
| > From: Prasad J Pandit <address@hidden>
| >
| > While performing mmio device r/w operations, guest could set 'addr'
| > parameter such that 'locty' index exceeds TPM_TIS_NUM_LOCALITIES=5
| > after setting new 'locty' via 'tpm_tis_new_active_locality'.
| > Add check to avoid OOB access.
| 
| Do you have test code that can set the memory to such a locality or is this
| purely hypothetical at the moment?

It's not hypothetical, reporter used tpm-emulator below

  -> https://github.com/PeterHuewe/tpm-emulator

with an old version of QEMU. I shared the details with Marc-Andre earlier 
today.

| We are registering this MMIO area:
| 
|     memory_region_init_io(&s->mmio, OBJECT(s), &tpm_tis_memory_ops,
|                           s, "tpm-tis-mmio",
|                           TPM_TIS_NUM_LOCALITIES << 
| TPM_TIS_LOCALITY_SHIFT);
| 
| #define TPM_TIS_NUM_LOCALITIES      5
| 
| #define TPM_TIS_LOCALITY_SHIFT      12
| 
| --> 5 << 12 = 0x5000, thus we get memory locations [0 .. 0x4fff]
| 
| 
| We have the following code to get from an address to the locality:
| 
| static uint8_t tpm_tis_locality_from_addr(hwaddr addr)
| {
|     return (uint8_t)((addr >> TPM_TIS_LOCALITY_SHIFT) & 0x7);
| }
| 
| With this we would get localities of [0x0 .. 0x4] following the memory
| locations [0 .. 0x4fff] above.

  Right. IIUC mmio r/w routines called with 'addr' value like 0x07000 may set 
'locty' to > TPM_TIS_NUM_LOCALITIES. Also in mmio_write at one point, 
'active_locty' is set to TPM_TIS_NO_LOCALITY(=0xff), which may be used to set 
'new_locty'.

tpm_tis_mmio_write
   ...
   active_locty = TPM_TIS_NO_LOCALITY(=0xff);
   ...
   tpm_tis_new_active_locality(s, active_locty);


tpm_tis_new_active_locality(TPMState *s, uint8_t new_active_locty)
   ...
   s->active_locty = new_active_locty;


Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH v1] tpm: check localities index, P J P, 2018/11/20
- Re: [Qemu-devel] [PATCH v1] tpm: check localities index, Marc-André Lureau, 2018/11/20
  - Re: [Qemu-devel] [PATCH v1] tpm: check localities index, Marc-André Lureau, 2018/11/20
- Re: [Qemu-devel] [PATCH v1] tpm: check localities index, Stefan Berger, 2018/11/20
  - Re: [Qemu-devel] [PATCH v1] tpm: check localities index, P J P <=
    - Re: [Qemu-devel] [PATCH v1] tpm: check localities index, P J P, 2018/11/21
    - Re: [Qemu-devel] [PATCH v1] tpm: check localities index, Stefan Berger, 2018/11/21
    - Re: [Qemu-devel] [PATCH v1] tpm: check localities index, P J P, 2018/11/22
- Re: [Qemu-devel] [PATCH v1] tpm: check localities index, Stefan Berger, 2018/11/21
- Re: [Qemu-devel] [PATCH v1] tpm: check localities index, no-reply, 2018/11/21
  - Re: [Qemu-devel] [PATCH v1] tpm: check localities index, Stefan Berger, 2018/11/21

Prev by Date: Re: [Qemu-devel] [PATCH v5 00/14] arm: nRF51 Devices and Microbit Support
Next by Date: Re: [Qemu-devel] [PATCH v5 00/16] Don't pass flags to bdrv_reopen_queue()
Previous by thread: Re: [Qemu-devel] [PATCH v1] tpm: check localities index
Next by thread: Re: [Qemu-devel] [PATCH v1] tpm: check localities index
Index(es):
- Date
- Thread