[PATCH 0/1] Fix crash in __calc_tpm2_event_size

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I've been testing the latest code in the linux-tpmdd branch and I'm
experiencing a crash in __calc_tpm2_event_size when it's called to
calculate the size of events in the final log. I hope I'm not stepping on
anyone's toes, but this small change seems to fix it.

What seems to happen is that the event header is mapped here:

    /* Map the event header */
    if (do_mapping) {
        mapping_size = marker - marker_start;
        mapping = TPM_MEMREMAP((unsigned long)marker_start,
                       mapping_size);

    ...

    event = (struct tcg_pcr_event2_head *)mapping;

When calculating the cumulative size of the digests, the event header is
dereferenced here on each loop iteration in order to obtain the digest
count:

    for (i = 0; i < event->count; i++) {
        halg_size = sizeof(event->digests[i].alg_id);

But the first iteration of the loop unmaps the event header:

        /* Map the digest's algorithm identifier */
        if (do_mapping) {
            TPM_MEMUNMAP(mapping, mapping_size);
            mapping_size = halg_size;
            mapping = TPM_MEMREMAP((unsigned long)marker,
                         mapping_size);

Subsequent loop iterations then dereference a pointer to unmapped memory.

Chris Coulson (1):
  tpm: Don't dereference event after it's unmapped in
    __calc_tpm2_event_size

 include/linux/tpm_eventlog.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

-- 
2.17.1




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux