Re: [tboot-devel] null pointer dereference bug

Sun, 15 Jan 2017 09:10:45 -0800 

Thanks for reporting the bug and providing the fix.

Actually, if tpm_detect() were put after verify_acmod() as your patch 
indicated, there would generate another issue of SGX status verification 
failure.
In verify_acmod() , there is a verify_IA32_se_svn_status() which will consume 
some initialized TPM data to do SGX status verification.

Moving verify_IA32_se_svn_status() to end of your patch may resolve the SGX 
issue, but we need more tests on it...

-ning

From: shiwan...@gohighsec.com [mailto:shiwan...@gohighsec.com]
Sent: Saturday, January 14, 2017 1:37 AM
To: tboot-devel <tboot-devel@lists.sourceforge.net>
Subject: [tboot-devel] null pointer dereference bug

Hi,
There is a null pointer dereference bug in the latest version of tboot-1.9.5.
The g_sinit of global variable is used in the function (tpm_detect()),but the 
g_sinit is a null pointer at this time.
The detail of this prosess can be described as follows:
tpm_detect()
      return g_tpm->init(g_tpm);
             tpm_info_list_t *info_list = get_tpm_info_list(g_sinit);//g_sinit 
is a null pointer

Here is a patch against 1.9.5 which corrects the problem:
---------------------------------------------------------------------------
diff -urNp a/tboot/common/tboot.c b/tboot/common/tboot.c
---  a/tboot/common/tboot.c      2017-01-12 22:24:08.000000000 -0500
+++ b/tboot/common/tboot.c      2017-01-14 12:06:35.816986990 -0500
@@ -384,10 +384,6 @@ void begin_launch(void *addr, uint32_t m
         if ( !copy_e820_map(g_ldr_ctx) )  apply_policy(TB_ERR_FATAL);
     }

-    /* make TPM ready for measured launch */
-    if (!tpm_detect())
-       apply_policy(TB_ERR_TPM_NOT_READY);
-
     /* we need to make sure this is a (TXT-) capable platform before using */
     /* any of the features, incl. those required to check if the environment */
     /* has already been launched */
@@ -401,6 +397,10 @@ void begin_launch(void *addr, uint32_t m
        if (!verify_acmod(g_sinit))
            apply_policy(TB_ERR_ACMOD_VERIFY_FAILED);
     }
+
+    /* make TPM ready for measured launch */
+    if (!tpm_detect())
+       apply_policy(TB_ERR_TPM_NOT_READY);


Thanks
Wangyi

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to