Re: rng_dev_read: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64'

From: Theodore Y. Ts'o
Date: Mon Sep 10 2018 - 16:42:26 EST


On Mon, Sep 10, 2018 at 10:02:38PM +0200, Ard Biesheuvel wrote:
> >> [146535.257274] tpm tpm0: A TPM error (379) occurred attempting get random
> >> [146535.257304] usercopy: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64' (offset 0, size 379)!
>
> The TPM return code '379' is returned from rng_get_data(), and
> interpreted as a byte count rather than an error code.

So there are two bugs here. Once is in the TPM hw_random driver; it
shouldn't be returning the TPM error code. The second is that
rng_dev_read() should be more suspicious and validate the number of
bytes returned from the low-level hw_random driver for sanity.

- Ted