Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp3255450imm; Mon, 10 Sep 2018 13:42:43 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYCpM8CXCY639tyf10NFcgn7oSIfQaIKAnRPPOxFLUAtMmBIxXNWI9EOX3y0cHnkGET1RYj X-Received: by 2002:a62:4f0b:: with SMTP id d11-v6mr25401684pfb.132.1536612163787; Mon, 10 Sep 2018 13:42:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536612163; cv=none; d=google.com; s=arc-20160816; b=OOAJwCledKOvyt2C5lXMtG45kxYTKtslLL9b6jKpL5o6PjAW7BhYvsg8kFxmZj0mKF ZUzuYScQwqUprvgZJONKIikgpzCVp2ynd79W4Fr0zVfWejn+HIZ6AleLk7W7mmwFzsYB d4e4AYYlzTzeKFxZQykTqVe8y+F3f8mBwTgKmTzrl235imcLV9o+Wu5AnPhbsShXDYPs L+6noS5bArxYN2hgcDSXZWu+v+yg9cX+0QhOwPkcR0LSNwuf4evKIiBEQvWzwL+AW8EL kfUqF4uMiQeTw8/Gd8zXvMmTLjuiKCO77xNkUwp3k2N6VpQ7TbJuGUYOQlk6Jp3OAp+z CTXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=lj/5WHdNGhoSJHTdcUGGhcfcUrbTMpQ/Biva2Qs3B2Y=; b=Jxn4IR2qIMghNRUwd1dz6IT1A+cQwP+kO50mTpEYge5SqaukIW8WMXQBaYN48uY6is U+DZyGFEdZI1I9ZLTdEJwvgrorAclxxdqMyWh0DZq4uGJtLMsfLjUHfSikCaBAm2Oaja l7E3noX+K5eTNYv7JArJTKyma9qh+X54L92MHnX+Ux8EsgL6ruDvuZOZ33LTKH052Aux wB7ITx6RSfUflIczXDEh3X8JOZVEPrJE1hE1AQBuuEOdD+JK6/2/KLqvOhMLMmprHre/ omlp5jsjThIJMXIDbTPHwvbiqLGnRqDUGaLEGQrT4xKjsWpAB3cyOr33tyOCcAz3iJia Xg4w== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=SiUXC+8r; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z20-v6si7717837pgj.159.2018.09.10.13.42.26; Mon, 10 Sep 2018 13:42:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=SiUXC+8r; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726396AbeIKBiL (ORCPT + 99 others); Mon, 10 Sep 2018 21:38:11 -0400 Received: from imap.thunk.org ([74.207.234.97]:44920 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726043AbeIKBiL (ORCPT ); Mon, 10 Sep 2018 21:38:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=lj/5WHdNGhoSJHTdcUGGhcfcUrbTMpQ/Biva2Qs3B2Y=; b=SiUXC+8rgLBAbhclXEflg2FLz1 +RsdRY5uoTCicDVBqUh21Fge2HrKz0DaAra52vSHX7bRUcwUtksCHDS2B1P/YqjEhFPP07kkQGN8L Kf58OkS3VqEJbF+mp4nt3ACDi33o+Hh01QFAy5T7cmoihjr20mML2DE55DDHafYAJRmA=; Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.89) (envelope-from ) id 1fzT0m-0001Lm-5X; Mon, 10 Sep 2018 20:42:20 +0000 Received: by callcc.thunk.org (Postfix, from userid 15806) id 6F5B57A56B4; Mon, 10 Sep 2018 16:42:19 -0400 (EDT) Date: Mon, 10 Sep 2018 16:42:19 -0400 From: "Theodore Y. Ts'o" To: Ard Biesheuvel Cc: Meelis Roos , Linux Kernel list , "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" Subject: Re: rng_dev_read: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64' Message-ID: <20180910204219.GG16557@thunk.org> Mail-Followup-To: "Theodore Y. Ts'o" , Ard Biesheuvel , Meelis Roos , Linux Kernel list , "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" References: <20180910195342.GD16557@thunk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 10, 2018 at 10:02:38PM +0200, Ard Biesheuvel wrote: > >> [146535.257274] tpm tpm0: A TPM error (379) occurred attempting get random > >> [146535.257304] usercopy: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64' (offset 0, size 379)! > > The TPM return code '379' is returned from rng_get_data(), and > interpreted as a byte count rather than an error code. So there are two bugs here. Once is in the TPM hw_random driver; it shouldn't be returning the TPM error code. The second is that rng_dev_read() should be more suspicious and validate the number of bytes returned from the low-level hw_random driver for sanity. - Ted