On Mon, Sep 28, 2020 at 06:15:00PM +0200, Ard Biesheuvel wrote: > > > > It is possible but initially feels a bit weird: > > > > > > > > - sizeof(TCG_SPECID_SIG)) || count > efispecid->num_algs) { > > > > + sizeof(TCG_SPECID_SIG)) || > > > > + !efispecid->num_algs || count != efispecid->num_algs) { ^^^ > In tpm2_bios_measurements_start(), we dereference tpm_bios_log to > access bios_event_log and bios_event_log_end without checking tpm_bios > for NULL. This is where the crash seems to occur. That's a good guess. Just a bit confused how that particular patch can have the effect: it has two deferences to efispecid instead of one in the same statement. Would be interesting to hear if the bug is triggered in Kenneth's environment by the exact same commit. /Jarkko