[PATCH v3 04/16] tpm: call tpm2_flush_space() on error in tpm_try_transmit()
From: Jarkko Sakkinen
Date: Sun Nov 04 2018 - 20:46:43 EST
Always call tpm2_flush_space() on failure in tpm_try_transmit() so that
the volatile memory of the TPM gets cleared. If /dev/tpm0 does not have
sufficient permissions (usually it has), this could leak to the leakage
of TPM objects. Through /dev/tpmrm0 this issue does not raise new
security concerns.
Cc: stable@xxxxxxxxxxxxxxx
Fixes: 745b361e989a ("tpm:tpm: infrastructure for TPM spaces")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>
---
drivers/char/tpm/tpm-interface.c | 28 +++++++++++++++++-----------
drivers/char/tpm/tpm.h | 1 +
drivers/char/tpm/tpm2-space.c | 2 +-
3 files changed, 19 insertions(+), 12 deletions(-)
diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index 64510ed81b46..ecda6f96cde0 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -224,14 +224,14 @@ static ssize_t tpm_try_transmit(struct tpm_chip *chip,
rc = tpm2_prepare_space(chip, space, ordinal, buf);
if (rc)
- goto out;
+ goto out_idle;
rc = chip->ops->send(chip, buf, count);
if (rc < 0) {
if (rc != -EPIPE)
dev_err(&chip->dev,
"%s: tpm_send: error %d\n", __func__, rc);
- goto out;
+ goto out_space;
}
if (chip->flags & TPM_CHIP_FLAG_IRQ)
@@ -247,7 +247,7 @@ static ssize_t tpm_try_transmit(struct tpm_chip *chip,
if (chip->ops->req_canceled(chip, status)) {
dev_err(&chip->dev, "Operation Canceled\n");
rc = -ECANCELED;
- goto out;
+ goto out_space;
}
tpm_msleep(TPM_TIMEOUT_POLL);
@@ -257,7 +257,7 @@ static ssize_t tpm_try_transmit(struct tpm_chip *chip,
chip->ops->cancel(chip);
dev_err(&chip->dev, "Operation Timed out\n");
rc = -ETIME;
- goto out;
+ goto out_space;
out_recv:
len = chip->ops->recv(chip, buf, bufsiz);
@@ -265,22 +265,28 @@ static ssize_t tpm_try_transmit(struct tpm_chip *chip,
rc = len;
dev_err(&chip->dev,
"tpm_transmit: tpm_recv: error %d\n", rc);
- goto out;
+ goto out_idle;
} else if (len < TPM_HEADER_SIZE) {
rc = -EFAULT;
- goto out;
+ goto out_idle;
}
if (len != be32_to_cpu(header->length)) {
rc = -EFAULT;
- goto out;
+ goto out_idle;
}
- rc = tpm2_commit_space(chip, space, ordinal, buf, &len);
- if (rc)
- dev_err(&chip->dev, "tpm2_commit_space: error %d\n", rc);
+out_space:
+ if (rc) {
+ tpm2_flush_space(chip);
+ } else {
+ rc = tpm2_commit_space(chip, space, ordinal, buf, &len);
+ if (rc)
+ dev_err(&chip->dev, "tpm2_commit_space: error %d\n",
+ rc);
+ }
-out:
+out_idle:
/* may fail but do not override previous error value in rc */
tpm_go_idle(chip, flags);
diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
index 49bca4d1e786..229ac42b644e 100644
--- a/drivers/char/tpm/tpm.h
+++ b/drivers/char/tpm/tpm.h
@@ -579,6 +579,7 @@ int tpm2_probe(struct tpm_chip *chip);
int tpm2_find_cc(struct tpm_chip *chip, u32 cc);
int tpm2_init_space(struct tpm_space *space);
void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space);
+void tpm2_flush_space(struct tpm_chip *chip);
int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u32 cc,
u8 *cmd);
int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space,
diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c
index 1131a8e7b79b..d53c882268ff 100644
--- a/drivers/char/tpm/tpm2-space.c
+++ b/drivers/char/tpm/tpm2-space.c
@@ -162,7 +162,7 @@ static int tpm2_save_context(struct tpm_chip *chip, u32 handle, u8 *buf,
return 0;
}
-static void tpm2_flush_space(struct tpm_chip *chip)
+void tpm2_flush_space(struct tpm_chip *chip)
{
struct tpm_space *space = &chip->work_space;
int i;
--
2.19.1