Author: mw Date: Tue Apr 16 02:28:35 2019 New Revision: 346259 URL: https://svnweb.freebsd.org/changeset/base/346259
Log: tpm: Prevent session hijack Check caller thread id before allowing to read the buffer to make sure that it can only be accessed by the thread that did the associated write to the TPM. Submitted by: Kornel Duleba <[email protected]> Reviewed by: delphij Obtained from: Semihalf Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D19713 Modified: head/sys/dev/tpm/tpm20.c head/sys/dev/tpm/tpm20.h Modified: head/sys/dev/tpm/tpm20.c ============================================================================== --- head/sys/dev/tpm/tpm20.c Tue Apr 16 02:12:38 2019 (r346258) +++ head/sys/dev/tpm/tpm20.c Tue Apr 16 02:28:35 2019 (r346259) @@ -77,6 +77,10 @@ tpm20_read(struct cdev *dev, struct uio *uio, int flag callout_stop(&sc->discard_buffer_callout); sx_xlock(&sc->dev_lock); + if (sc->owner_tid != uio->uio_td->td_tid) { + sx_xunlock(&sc->dev_lock); + return (EPERM); + } bytes_to_transfer = MIN(sc->pending_data_length, uio->uio_resid); if (bytes_to_transfer > 0) { @@ -128,9 +132,11 @@ tpm20_write(struct cdev *dev, struct uio *uio, int fla result = sc->transmit(sc, byte_count); - if (result == 0) + if (result == 0) { callout_reset(&sc->discard_buffer_callout, TPM_READ_TIMEOUT / tick, tpm20_discard_buffer, sc); + sc->owner_tid = uio->uio_td->td_tid; + } sx_xunlock(&sc->dev_lock); return (result); Modified: head/sys/dev/tpm/tpm20.h ============================================================================== --- head/sys/dev/tpm/tpm20.h Tue Apr 16 02:12:38 2019 (r346258) +++ head/sys/dev/tpm/tpm20.h Tue Apr 16 02:28:35 2019 (r346259) @@ -120,6 +120,7 @@ struct tpm_sc { uint8_t *buf; size_t pending_data_length; + lwpid_t owner_tid; struct callout discard_buffer_callout; #ifdef TPM_HARVEST _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "[email protected]"
