Re: rng_dev_read: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64'

From: Theodore Y. Ts'o
Date: Mon Sep 10 2018 - 16:42:26 EST

Next message: Jiri Kosina: "RE: [PATCH v5 1/2] x86/speculation: apply IBPB more strictly to avoid cross-process data leak"
Previous message: Michael Straube: "[PATCH] staging: rtl8188eu: change array type to u8"
In reply to: Ard Biesheuvel: "Re: rng_dev_read: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Sep 10, 2018 at 10:02:38PM +0200, Ard Biesheuvel wrote:
> >> [146535.257274] tpm tpm0: A TPM error (379) occurred attempting get random
> >> [146535.257304] usercopy: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64' (offset 0, size 379)!
>
> The TPM return code '379' is returned from rng_get_data(), and
> interpreted as a byte count rather than an error code.

So there are two bugs here. Once is in the TPM hw_random driver; it
shouldn't be returning the TPM error code. The second is that
rng_dev_read() should be more suspicious and validate the number of
bytes returned from the low-level hw_random driver for sanity.

- Ted

Next message: Jiri Kosina: "RE: [PATCH v5 1/2] x86/speculation: apply IBPB more strictly to avoid cross-process data leak"
Previous message: Michael Straube: "[PATCH] staging: rtl8188eu: change array type to u8"
In reply to: Ard Biesheuvel: "Re: rng_dev_read: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]