Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

tpm: Propagate error from tpm_transmit to fix a timeout hang

tpm_write calls tpm_transmit without checking the return value and
assigns the return value unconditionally to chip->pending_data, even if
it's an error value.
This causes three bugs.

So if we write to /dev/tpm0 with a tpm_param_size bigger than
TPM_BUFSIZE=0x1000 (e.g. 0x100a)
and a bufsize also bigger than TPM_BUFSIZE (e.g. 0x100a)
tpm_transmit returns -E2BIG which is assigned to chip->pending_data as
-7, but tpm_write returns that TPM_BUFSIZE bytes have been successfully
been written to the TPM, altough this is not true (bug #1).

As we did write more than than TPM_BUFSIZE bytes but tpm_write reports
that only TPM_BUFSIZE bytes have been written the vfs tries to write
the remaining bytes (in this case 10 bytes) to the tpm device driver via
tpm_write which then blocks at

 /* cannot perform a write until the read has cleared
 either via tpm_read or a user_read_timer timeout */
 while (atomic_read(&chip->data_pending) != 0)
	 msleep(TPM_TIMEOUT);

for 60 seconds, since data_pending is -7 and nobody is able to
read it (since tpm_read luckily checks if data_pending is greater than
0) (#bug 2).

After that the remaining bytes are written to the TPM which are
interpreted by the tpm as a normal command. (bug #3)
So if the last bytes of the command stream happen to be a e.g.
tpm_force_clear this gets accidentally sent to the TPM.

This patch fixes all three bugs, by propagating the error code of
tpm_write and returning -E2BIG if the input buffer is too big,
since the response from the tpm for a truncated value is bogus anyway.
Moreover it returns -EBUSY to userspace if there is a response ready to be
read.

Signed-off-by: Peter Huewe <peter.huewe@infineon.com>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
Peter Huewe 12 years ago
parent
bf53083445
commit
abce9ac292
1 changed files with 14 additions and 7 deletions
Split View Show Diff Stats
  1. 14 7
      drivers/char/tpm/tpm.c

+ 14 - 7
drivers/char/tpm/tpm.c
View File 

@@ -1182,17 +1182,20 @@ ssize_t tpm_write(struct file *file, const char __user *buf,
 
 		  size_t size, loff_t *off)
 
 {
 
 	struct tpm_chip *chip = file->private_data;
 
-	size_t in_size = size, out_size;
 
+	size_t in_size = size;
 
+	ssize_t out_size;
 
 
 	/* cannot perform a write until the read has cleared
 
-	   either via tpm_read or a user_read_timer timeout */
 
-	while (atomic_read(&chip->data_pending) != 0)
 
-		msleep(TPM_TIMEOUT);
 
-
 
-	mutex_lock(&chip->buffer_mutex);
 
+	   either via tpm_read or a user_read_timer timeout.
 
+	   This also prevents splitted buffered writes from blocking here.
 
+	*/
 
+	if (atomic_read(&chip->data_pending) != 0)
 
+		return -EBUSY;
 
 
 	if (in_size > TPM_BUFSIZE)
 
-		in_size = TPM_BUFSIZE;
 
+		return -E2BIG;
 
+
 
+	mutex_lock(&chip->buffer_mutex);
 
 
 	if (copy_from_user
 
 	    (chip->data_buffer, (void __user *) buf, in_size)) {
 
@@ -1202,6 +1205,10 @@ ssize_t tpm_write(struct file *file, const char __user *buf,
 
 
 	/* atomic tpm command send and result receive */
 
 	out_size = tpm_transmit(chip, chip->data_buffer, TPM_BUFSIZE);
 
+	if (out_size < 0) {
 
+		mutex_unlock(&chip->buffer_mutex);
 
+		return out_size;
 
+	}
 
 
 	atomic_set(&chip->data_pending, out_size);
 
 	mutex_unlock(&chip->buffer_mutex);