On Tue Sep 24, 2024 at 7:05 PM EEST, Jarkko Sakkinen wrote: > On Tue Sep 24, 2024 at 1:32 AM EEST, Herbert Xu wrote: > > On Mon, Sep 23, 2024 at 04:48:27PM +0200, Greg KH wrote: > > > > > > Please see: > > > > > > https://www.kernel.org/doc/html/latest/process/deprecated.html#bug-and-bug-on > > > which describes that. We should make it more explicit that any WARN() > > > or WARN_ON() calls that can be hit by user interactions somehow, will > > > end up getting a CVE id when we fix it up to not do so. > > > > If the aformentioned WARN_ON hits, then the driver has probabaly > > already done a buffer overrun so it's a CVE anyway. > > We'll see I finally got into testing this. Sorry for latencies, I'm > switching jobs and unfortunately German Post Office lost my priority > mail containing contracts (sent them from Finland to Berlin) so have > been signing, scanning etc. the whole day :-) My last week in the > current job, and next week is the first in the new job, so this > week is a bit bumpy.
I get nothing with this: diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index aba024cbe7c5..856a8356d971 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -341,12 +341,15 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max) dest_ptr += recd; total += recd; + + WARN_ON(num_bytes < recd); num_bytes -= recd; } while (retries-- && total < max); tpm_buf_destroy(&buf); tpm2_end_auth_session(chip); + WARN_ON(total > max); return total ? total : -EIO; out: tpm_buf_destroy(&buf); [WARN_ON()'s here are only for the temporary diff] Call stack: 1. tpm2_get_random(): https://elixir.bootlin.com/linux/v6.11-rc7/source/drivers/char/tpm/tpm2-cmd.c#L281 2. tpm_get_random(): https://elixir.bootlin.com/linux/v6.11-rc7/source/drivers/char/tpm/tpm-interface.c#L430 3. tpm_hwrng_read(): https://elixir.bootlin.com/linux/v6.11-rc7/source/drivers/char/tpm/tpm-chip.c#L524 Everything seems to have also appropriate range checks. Without any traces that would provide more information I don't see the smoking gun. BR, Jarkko