Re: [PATCH 1/3] tpm: protect against locality counter underflow

From: Alexander Steffen
Date: Tue Feb 20 2024 - 13:46:41 EST


On 02.02.2024 04:08, Lino Sanfilippo wrote:
On 01.02.24 23:21, Jarkko Sakkinen wrote:


On Wed Jan 31, 2024 at 7:08 PM EET, Daniel P. Smith wrote:
Commit 933bfc5ad213 introduced the use of a locality counter to control when a
locality request is allowed to be sent to the TPM. In the commit, the counter
is indiscriminately decremented. Thus creating a situation for an integer
underflow of the counter.

What is the sequence of events that leads to this triggering the
underflow? This information should be represent in the commit message.


AFAIU this is:

1. We start with a locality_counter of 0 and then we call tpm_tis_request_locality()
for the first time, but since a locality is (unexpectedly) already active
check_locality() and consequently __tpm_tis_request_locality() return "true".

check_locality() returns true, but __tpm_tis_request_locality() returns the requested locality. Currently, this is always 0, so the check for !ret will always correctly indicate success and increment the locality_count.

But since theoretically a locality != 0 could be requested, the correct fix would be to check for something like ret >= 0 or ret == l instead of !ret. Then the counter will also be incremented correctly for localities != 0, and no underflow will happen later on. Therefore, explicitly checking for an underflow is unnecessary and hides the real problem.

This prevents the locality_counter from being increased to 1, see

ret = __tpm_tis_request_locality(chip, l);
if (!ret) /* Counter not increased since ret == 1 */
priv->locality_count++;

in tpm_tis_request_locality().

If now the locality is released the counter is decreased to below zero (resulting
in an underflow since "locality_counter" is an unsigned int.