From d68a65eabf49639f5874a67e9ec8de45979ac903 Mon Sep 17 00:00:00 2001 From: Marcin Wojtas Date: Tue, 16 Apr 2019 02:28:35 +0000 Subject: [PATCH] tpm: Prevent session hijack Check caller thread id before allowing to read the buffer to make sure that it can only be accessed by the thread that did the associated write to the TPM. Submitted by: Kornel Duleba Reviewed by: delphij Obtained from: Semihalf Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D19713 --- sys/dev/tpm/tpm20.c | 8 +++++++- sys/dev/tpm/tpm20.h | 1 + 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/sys/dev/tpm/tpm20.c b/sys/dev/tpm/tpm20.c index 29a9cf34cc0..bef472dbecd 100644 --- a/sys/dev/tpm/tpm20.c +++ b/sys/dev/tpm/tpm20.c @@ -77,6 +77,10 @@ tpm20_read(struct cdev *dev, struct uio *uio, int flags) callout_stop(&sc->discard_buffer_callout); sx_xlock(&sc->dev_lock); + if (sc->owner_tid != uio->uio_td->td_tid) { + sx_xunlock(&sc->dev_lock); + return (EPERM); + } bytes_to_transfer = MIN(sc->pending_data_length, uio->uio_resid); if (bytes_to_transfer > 0) { @@ -128,9 +132,11 @@ tpm20_write(struct cdev *dev, struct uio *uio, int flags) result = sc->transmit(sc, byte_count); - if (result == 0) + if (result == 0) { callout_reset(&sc->discard_buffer_callout, TPM_READ_TIMEOUT / tick, tpm20_discard_buffer, sc); + sc->owner_tid = uio->uio_td->td_tid; + } sx_xunlock(&sc->dev_lock); return (result); diff --git a/sys/dev/tpm/tpm20.h b/sys/dev/tpm/tpm20.h index 71128b58e57..6275a7f7595 100644 --- a/sys/dev/tpm/tpm20.h +++ b/sys/dev/tpm/tpm20.h @@ -120,6 +120,7 @@ struct tpm_sc { uint8_t *buf; size_t pending_data_length; + lwpid_t owner_tid; struct callout discard_buffer_callout; #ifdef TPM_HARVEST