I've been testing the latest code in the linux-tpmdd branch and I'm
experiencing a crash in __calc_tpm2_event_size when it's called to
calculate the size of events in the final log. I hope I'm not stepping on
anyone's toes, but this small change seems to fix it.
What seems to happen is that the event header is mapped here:
/* Map the event header */
if (do_mapping) {
mapping_size = marker - marker_start;
mapping = TPM_MEMREMAP((unsigned long)marker_start,
mapping_size);
...
event = (struct tcg_pcr_event2_head *)mapping;
When calculating the cumulative size of the digests, the event header is
dereferenced here on each loop iteration in order to obtain the digest
count:
for (i = 0; i < event->count; i++) {
halg_size = sizeof(event->digests[i].alg_id);
But the first iteration of the loop unmaps the event header:
/* Map the digest's algorithm identifier */
if (do_mapping) {
TPM_MEMUNMAP(mapping, mapping_size);
mapping_size = halg_size;
mapping = TPM_MEMREMAP((unsigned long)marker,
mapping_size);
Subsequent loop iterations then dereference a pointer to unmapped memory.
Chris Coulson (1):
tpm: Don't dereference event after it's unmapped in
__calc_tpm2_event_size
include/linux/tpm_eventlog.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--
2.17.1
