From patchwork Tue Aug 25 08:36:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: You-Sheng Yang X-Patchwork-Id: 1350862 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BbMm30gjfz9sTd; Tue, 25 Aug 2020 18:36:35 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1kAURT-0006rk-Rz; Tue, 25 Aug 2020 08:36:31 +0000 Received: from mail-pg1-f177.google.com ([209.85.215.177]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kAURS-0006qz-3K for kernel-team@lists.ubuntu.com; Tue, 25 Aug 2020 08:36:30 +0000 Received: by mail-pg1-f177.google.com with SMTP id 67so3209861pgd.12 for ; Tue, 25 Aug 2020 01:36:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=LYoojuyDe677C9Bin9ri4Amk4NYWjAqOH/BbHk5+Tfw=; b=d+paZfVGxleGVO/inLzcPQbQfUxTwoLS2Ru5urCKqpWNyOZIbABj+dTkoKTp/MPkpg nK+9oEnPvn6B8e4pJE/IaEbmRESco1lzfm52zzyTt22fTAac4pAGdzgrpkYi/Y4MLUvM e3/4pfMYlER5dX+sqNqAMMfhv7Aw9Hv7bH1FjdbipgdkHtQJD+RaMRBLV4kabv70t0zl n/AJbNDSaiL0iNIfx3DT+KT6dApfH9m4Jn4A950781+1innBB98P/+j6ahtVcu0dCsSA esHwFY9Rp41KXDa4t5DBsK3p0YIoJeD5YgRwDCi3jbEerTvZt9E3yRZlybKiXvlDbt24 U0oQ== X-Gm-Message-State: AOAM533IMxvxPB0PfUAWwi/QXzLcnMpz42kOovogsFDTtTZrnizyU3Pv xHoGx0ir9fT1/0chYR8Entxur1qksahGWA== X-Google-Smtp-Source: ABdhPJyy208OaYyEdO/zNi8UAKKvZ4cVpVZZgFF5VvNTTEluIjC/9F/TuvG1FSBjX7mUfhha7kQt3g== X-Received: by 2002:a63:9d82:: with SMTP id i124mr5945760pgd.336.1598344587815; Tue, 25 Aug 2020 01:36:27 -0700 (PDT) Received: from localhost (61-220-137-37.HINET-IP.hinet.net. [61.220.137.37]) by smtp.gmail.com with ESMTPSA id f12sm2154095pjm.52.2020.08.25.01.36.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Aug 2020 01:36:26 -0700 (PDT) From: You-Sheng Yang To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/1][SRU][OEM-5.6] efi/tpm: Verify event log header before parsing Date: Tue, 25 Aug 2020 16:36:21 +0800 Message-Id: <20200825083621.310249-2-vicamo.yang@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200825083621.310249-1-vicamo.yang@canonical.com> References: <20200825083621.310249-1-vicamo.yang@canonical.com> MIME-Version: 1.0 Received-SPF: pass client-ip=209.85.215.177; envelope-from=vicamo@gmail.com; helo=mail-pg1-f177.google.com X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Fabian Vogt BugLink: https://bugs.launchpad.net/bugs/1892827 [ Upstream commit 7dfc06a0f25b593a9f51992f540c0f80a57f3629 ] It is possible that the first event in the event log is not actually a log header at all, but rather a normal event. This leads to the cast in __calc_tpm2_event_size being an invalid conversion, which means that the values read are effectively garbage. Depending on the first event's contents, this leads either to apparently normal behaviour, a crash or a freeze. While this behaviour of the firmware is not in accordance with the TCG Client EFI Specification, this happens on a Dell Precision 5510 with the TPM enabled but hidden from the OS ("TPM On" disabled, state otherwise untouched). The EFI firmware claims that the TPM is present and active and that it supports the TCG 2.0 event log format. Fortunately, this can be worked around by simply checking the header of the first event and the event log header signature itself. Commit b4f1874c6216 ("tpm: check event log version before reading final events") addressed a similar issue also found on Dell models. Fixes: 6b0326190205 ("efi: Attempt to get the TCG2 event log in the boot stub") Signed-off-by: Fabian Vogt Link: https://lore.kernel.org/r/1927248.evlx2EsYKh@linux-e202.suse.de Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1165773 Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin (cherry picked from commit ea3cdcaa43b08c9a747639f545b0ed5cca47f87e) Signed-off-by: You-Sheng Yang --- include/linux/tpm_eventlog.h | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h index 131ea1bad458..eccfd3a4e4c8 100644 --- a/include/linux/tpm_eventlog.h +++ b/include/linux/tpm_eventlog.h @@ -81,6 +81,8 @@ struct tcg_efi_specid_event_algs { u16 digest_size; } __packed; +#define TCG_SPECID_SIG "Spec ID Event03" + struct tcg_efi_specid_event_head { u8 signature[16]; u32 platform_class; @@ -171,6 +173,7 @@ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, int i; int j; u32 count, event_type; + const u8 zero_digest[sizeof(event_header->digest)] = {0}; marker = event; marker_start = marker; @@ -198,10 +201,19 @@ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, count = READ_ONCE(event->count); event_type = READ_ONCE(event->event_type); + /* Verify that it's the log header */ + if (event_header->pcr_idx != 0 || + event_header->event_type != NO_ACTION || + memcmp(event_header->digest, zero_digest, sizeof(zero_digest))) { + size = 0; + goto out; + } + efispecid = (struct tcg_efi_specid_event_head *)event_header->event; /* Check if event is malformed. */ - if (count > efispecid->num_algs) { + if (memcmp(efispecid->signature, TCG_SPECID_SIG, + sizeof(TCG_SPECID_SIG)) || count > efispecid->num_algs) { size = 0; goto out; }