Skip to content

Commit 5355074

Browse files
dgarskedgarske
committed
Fixes from Skoll review.
1 parent a2f52d4 commit 5355074

File tree

9 files changed

+91
-45
lines changed

9 files changed

+91
-45
lines changed

hal/tpm_io_fwtpm.c

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@
4343
#endif
4444

4545
#include <sys/mman.h>
46+
#include <sys/stat.h>
4647
#include <semaphore.h>
4748

4849
/* Static client context (one connection per process).
@@ -54,6 +55,7 @@ static int gFwtpmClientInit = 0;
5455
int FWTPM_TIS_ClientConnect(FWTPM_TIS_CLIENT_CTX* client)
5556
{
5657
int fd;
58+
struct stat st;
5759
FWTPM_TIS_REGS* shm;
5860
sem_t* semCmd;
5961
sem_t* semRsp;
@@ -75,6 +77,17 @@ int FWTPM_TIS_ClientConnect(FWTPM_TIS_CLIENT_CTX* client)
7577
return TPM_RC_FAILURE;
7678
}
7779

80+
/* Verify file is large enough before mapping */
81+
if (fstat(fd, &st) != 0 ||
82+
st.st_size < (off_t)sizeof(FWTPM_TIS_REGS)) {
83+
#ifdef DEBUG_WOLFTPM
84+
printf("fwTPM HAL: shm file too small (expected %lu)\n",
85+
(unsigned long)sizeof(FWTPM_TIS_REGS));
86+
#endif
87+
close(fd);
88+
return TPM_RC_FAILURE;
89+
}
90+
7891
shm = (FWTPM_TIS_REGS*)mmap(NULL, sizeof(FWTPM_TIS_REGS),
7992
PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
8093
if (shm == MAP_FAILED) {
@@ -178,12 +191,16 @@ int TPM2_IoCb_FwTPM(TPM2_CTX* ctx, int isRead, word32 addr,
178191
* Note: thread safety is provided by the TPM context lock in tpm2_tis.c
179192
* (TPM2_AcquireLock), so no additional mutex is needed here. */
180193
if (!gFwtpmClientInit) {
194+
static int atexitRegistered = 0;
181195
int rc = FWTPM_TIS_ClientConnect(client);
182196
if (rc != TPM_RC_SUCCESS) {
183197
return rc;
184198
}
185199
gFwtpmClientInit = 1;
186-
atexit(FWTPM_TIS_ClientCleanup);
200+
if (!atexitRegistered) {
201+
atexit(FWTPM_TIS_ClientCleanup);
202+
atexitRegistered = 1;
203+
}
187204
}
188205

189206
shm = client->shm;

scripts/fwtpm_emu_test.sh

Lines changed: 0 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -64,15 +64,6 @@ if [ -z "$M33MU" ] || [ ! -x "$M33MU" ]; then
6464
exit 1
6565
fi
6666

67-
# Verify m33mu can actually run (catch missing shared libs)
68-
if ! "$M33MU" --version > /dev/null 2>&1; then
69-
echo "ERROR: m33mu found at $M33MU but failed to execute."
70-
echo " Checking shared library dependencies:"
71-
ldd "$M33MU" 2>&1 | grep -i "not found" || echo " (no missing libraries detected)"
72-
echo " File type: $(file "$M33MU")"
73-
exit 1
74-
fi
75-
7667
echo "=== fwTPM Emulator Test ==="
7768
echo " m33mu: $M33MU"
7869
echo " TZEN: $TZEN"

src/fwtpm/fwtpm_command.c

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -315,7 +315,9 @@ static int FwGetEntityName(FWTPM_CTX* ctx, TPM_HANDLE handle,
315315
if (nv != NULL) {
316316
UINT16 nvNameSz = 0;
317317
FwComputeNvName(nv, nameBuf, &nvNameSz);
318-
return (int)nvNameSz;
318+
if (nvNameSz <= nameBufSz) {
319+
return (int)nvNameSz;
320+
}
319321
}
320322
}
321323
#endif /* !FWTPM_NO_NV */
@@ -3367,7 +3369,12 @@ static TPM_RC FwCmd_Create(FWTPM_CTX* ctx, TPM2_Packet* cmd,
33673369
}
33683370
if (rc == 0) {
33693371
TPM2_Packet_ParseU16(cmd, &outsideInfoSize);
3370-
cmd->pos += outsideInfoSize;
3372+
if (cmd->pos + outsideInfoSize > cmdSize) {
3373+
rc = TPM_RC_COMMAND_SIZE;
3374+
}
3375+
else {
3376+
cmd->pos += outsideInfoSize;
3377+
}
33713378
}
33723379

33733380
/* Parse creationPCR (TPML_PCR_SELECTION) - skip */
@@ -4455,7 +4462,7 @@ static TPM_RC FwCmd_Import(FWTPM_CTX* ctx, TPM2_Packet* cmd,
44554462
TPM2_ForceZero(privKeyDer, FWTPM_MAX_PRIVKEY_DER);
44564463
FWTPM_FREE_BUF(privKeyDer);
44574464
FWTPM_FREE_BUF(pubAreaBuf);
4458-
TPM2_ForceZero(plainSens, FWTPM_MAX_DATA_BUF);
4465+
TPM2_ForceZero(plainSens, FWTPM_MAX_SENSITIVE_SIZE);
44594466
FWTPM_FREE_BUF(plainSens);
44604467
TPM2_ForceZero(primeBuf, FWTPM_MAX_DER_SIG_BUF);
44614468
FWTPM_FREE_BUF(primeBuf);
@@ -5392,6 +5399,7 @@ static TPM_RC FwCmd_CreateLoaded(FWTPM_CTX* ctx, TPM2_Packet* cmd,
53925399

53935400
TPM2_ForceZero(&userAuth, sizeof(userAuth));
53945401
TPM2_ForceZero(sensData, sizeof(sensData));
5402+
TPM2_ForceZero(&outPrivate, sizeof(outPrivate));
53955403
TPM2_ForceZero(privKeyDer, FWTPM_MAX_PRIVKEY_DER);
53965404
FWTPM_FREE_BUF(privKeyDer);
53975405
return rc;
@@ -11650,9 +11658,7 @@ static TPM_RC FwCmd_EC_Ephemeral(FWTPM_CTX* ctx, TPM2_Packet* cmd,
1165011658
}
1165111659

1165211660
if (rc == 0) {
11653-
UINT32 curveID32;
11654-
TPM2_Packet_ParseU32(cmd, &curveID32);
11655-
curveID = (UINT16)curveID32;
11661+
TPM2_Packet_ParseU16(cmd, &curveID);
1165611662

1165711663
wcCurve = FwGetWcCurveId(curveID);
1165811664
keySz = FwGetEccKeySize(curveID);

src/fwtpm/fwtpm_crypto.c

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1621,6 +1621,9 @@ TPM_RC FwImportVerifyAndDecrypt(
16211621
* HMAC-nameAlg(hmacKeyBuf, encSens || name.name) */
16221622
if (rc == 0) {
16231623
wcHmacType = FwGetWcHashType(parentNameAlg);
1624+
rc = wc_HmacInit(hmacObj, NULL, INVALID_DEVID);
1625+
}
1626+
if (rc == 0) {
16241627
rc = wc_HmacSetKey(hmacObj, (int)wcHmacType,
16251628
hmacKeyBuf, (word32)digestSz);
16261629
if (rc == 0) {
@@ -2021,12 +2024,18 @@ int FwRsaComputeCRT(RsaKey* rsaKey)
20212024
}
20222025

20232026
/* phi = (p-1)(q-1) */
2024-
mp_sub_d(&rsaKey->p, 1, &pm1);
2025-
mp_sub_d(&rsaKey->q, 1, &qm1);
2026-
mp_mul(&pm1, &qm1, &phi);
2027+
rc = mp_sub_d(&rsaKey->p, 1, &pm1);
2028+
if (rc == 0) {
2029+
rc = mp_sub_d(&rsaKey->q, 1, &qm1);
2030+
}
2031+
if (rc == 0) {
2032+
rc = mp_mul(&pm1, &qm1, &phi);
2033+
}
20272034

20282035
/* d = e^{-1} mod phi */
2029-
rc = mp_invmod(&rsaKey->e, &phi, &rsaKey->d);
2036+
if (rc == 0) {
2037+
rc = mp_invmod(&rsaKey->e, &phi, &rsaKey->d);
2038+
}
20302039
if (rc == 0) {
20312040
rc = mp_mod(&rsaKey->d, &pm1, &rsaKey->dP);
20322041
}
@@ -2040,6 +2049,9 @@ int FwRsaComputeCRT(RsaKey* rsaKey)
20402049
mp_forcezero(&pm1);
20412050
mp_forcezero(&qm1);
20422051
mp_forcezero(&phi);
2052+
mp_clear(&pm1);
2053+
mp_clear(&qm1);
2054+
mp_clear(&phi);
20432055

20442056
if (rc != 0) {
20452057
rc = TPM_RC_FAILURE;

src/fwtpm/fwtpm_nv.c

Lines changed: 34 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -309,6 +309,9 @@ static int FwNvMarshalPublic(byte* buf, word32* pos, word32 maxSz,
309309
XMEMCPY(&pub2b.publicArea, pub, sizeof(TPMT_PUBLIC));
310310
TPM2_Packet_AppendPublic(&pkt, &pub2b);
311311

312+
if (pkt.pos <= 0 || (word32)pkt.pos > (maxSz - *pos)) {
313+
return TPM_RC_FAILURE;
314+
}
312315
*pos += pkt.pos;
313316
return 0;
314317
}
@@ -325,6 +328,10 @@ static int FwNvUnmarshalPublic(const byte* buf, word32* pos, word32 maxSz,
325328
pkt.size = (int)(maxSz - *pos);
326329

327330
TPM2_Packet_ParsePublic(&pkt, &pub2b);
331+
332+
if (pkt.pos <= 0 || (word32)pkt.pos > (maxSz - *pos)) {
333+
return TPM_RC_FAILURE;
334+
}
328335
XMEMCPY(pub, &pub2b.publicArea, sizeof(TPMT_PUBLIC));
329336

330337
*pos += pkt.pos;
@@ -509,7 +516,6 @@ static int FwNvUnmarshalObject(const byte* buf, word32* pos, word32 maxSz,
509516
UINT16 privSz;
510517

511518
XMEMSET(obj, 0, sizeof(FWTPM_Object));
512-
obj->used = 1;
513519

514520
rc = FwNvUnmarshalU32(buf, pos, maxSz, &obj->handle);
515521
if (rc == 0) {
@@ -523,8 +529,10 @@ static int FwNvUnmarshalObject(const byte* buf, word32* pos, word32 maxSz,
523529
}
524530
if (rc == 0) {
525531
if (privSz > FWTPM_MAX_PRIVKEY_DER) {
526-
return TPM_RC_FAILURE;
532+
rc = TPM_RC_FAILURE;
527533
}
534+
}
535+
if (rc == 0) {
528536
obj->privKeySize = (int)privSz;
529537
if (privSz > 0) {
530538
rc = FwNvUnmarshalBytes(buf, pos, maxSz, obj->privKey, privSz);
@@ -533,6 +541,9 @@ static int FwNvUnmarshalObject(const byte* buf, word32* pos, word32 maxSz,
533541
if (rc == 0) {
534542
rc = FwNvUnmarshalName(buf, pos, maxSz, &obj->name);
535543
}
544+
if (rc == 0) {
545+
obj->used = 1;
546+
}
536547
return rc;
537548
}
538549

@@ -571,7 +582,6 @@ static int FwNvUnmarshalPrimaryCache(const byte* buf, word32* pos,
571582
UINT16 privSz;
572583

573584
XMEMSET(cache, 0, sizeof(FWTPM_PrimaryCache));
574-
cache->used = 1;
575585

576586
rc = FwNvUnmarshalU32(buf, pos, maxSz, &cache->hierarchy);
577587
if (rc == 0) {
@@ -586,13 +596,18 @@ static int FwNvUnmarshalPrimaryCache(const byte* buf, word32* pos,
586596
}
587597
if (rc == 0) {
588598
if (privSz > FWTPM_MAX_PRIVKEY_DER) {
589-
return TPM_RC_FAILURE;
599+
rc = TPM_RC_FAILURE;
590600
}
601+
}
602+
if (rc == 0) {
591603
cache->privKeySize = (int)privSz;
592604
if (privSz > 0) {
593605
rc = FwNvUnmarshalBytes(buf, pos, maxSz, cache->privKey, privSz);
594606
}
595607
}
608+
if (rc == 0) {
609+
cache->used = 1;
610+
}
596611
return rc;
597612
}
598613

@@ -603,15 +618,15 @@ static int FwNvUnmarshalPrimaryCache(const byte* buf, word32* pos,
603618
/* Write NV header at offset 0 */
604619
static int FwNvWriteHeader(FWTPM_CTX* ctx)
605620
{
606-
FWTPM_NV_HEADER hdr;
621+
byte hdr[sizeof(FWTPM_NV_HEADER)]; /* 4 x UINT32 = 16 bytes */
607622
FWTPM_NV_HAL* hal = &ctx->nvHal;
608623

609-
hdr.magic = FWTPM_NV_MAGIC;
610-
hdr.version = FWTPM_NV_VERSION;
611-
hdr.writePos = ctx->nvWritePos;
612-
hdr.maxSize = hal->maxSize;
624+
FwStoreU32LE(hdr + 0, FWTPM_NV_MAGIC);
625+
FwStoreU32LE(hdr + 4, FWTPM_NV_VERSION);
626+
FwStoreU32LE(hdr + 8, ctx->nvWritePos);
627+
FwStoreU32LE(hdr + 12, hal->maxSize);
613628

614-
return hal->write(hal->ctx, 0, (const byte*)&hdr, sizeof(hdr));
629+
return hal->write(hal->ctx, 0, hdr, sizeof(hdr));
615630
}
616631

617632
/* Append a single TLV entry to the journal */
@@ -960,6 +975,7 @@ int FWTPM_NV_Init(FWTPM_CTX* ctx)
960975
{
961976
int rc;
962977
FWTPM_NV_HEADER hdr;
978+
byte hdrBuf[sizeof(FWTPM_NV_HEADER)];
963979
FWTPM_NV_HAL* hal;
964980
word32 pos;
965981
byte tlvHdr[TLV_HDR_SIZE];
@@ -992,8 +1008,14 @@ int FWTPM_NV_Init(FWTPM_CTX* ctx)
9921008
}
9931009

9941010
/* Try to read existing NV header */
995-
XMEMSET(&hdr, 0, sizeof(hdr));
996-
rc = hal->read(hal->ctx, 0, (byte*)&hdr, sizeof(FWTPM_NV_HEADER));
1011+
XMEMSET(hdrBuf, 0, sizeof(hdrBuf));
1012+
rc = hal->read(hal->ctx, 0, hdrBuf, sizeof(hdrBuf));
1013+
if (rc == TPM_RC_SUCCESS) {
1014+
hdr.magic = FwLoadU32LE(hdrBuf + 0);
1015+
hdr.version = FwLoadU32LE(hdrBuf + 4);
1016+
hdr.writePos = FwLoadU32LE(hdrBuf + 8);
1017+
hdr.maxSize = FwLoadU32LE(hdrBuf + 12);
1018+
}
9971019

9981020
if (rc == TPM_RC_SUCCESS &&
9991021
hdr.magic == FWTPM_NV_MAGIC &&

src/fwtpm/fwtpm_tis.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -264,6 +264,9 @@ static void TisHandleRegAccess(FWTPM_CTX* ctx, FWTPM_TIS_REGS* regs)
264264
if (len > avail) {
265265
len = avail;
266266
}
267+
if (len > sizeof(regs->reg_data)) {
268+
len = (UINT32)sizeof(regs->reg_data);
269+
}
267270
for (i = 0; i < len; i++) {
268271
regs->reg_data[i] = regs->rsp_buf[regs->fifo_read_pos++];
269272
}

src/tpm2.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3173,7 +3173,7 @@ TPM_RC TPM2_EC_Ephemeral(EC_Ephemeral_In* in, EC_Ephemeral_Out* out)
31733173

31743174
TPM2_Packet_Init(ctx, &packet);
31753175
st = TPM2_Packet_AppendAuth(&packet, ctx, &info);
3176-
TPM2_Packet_AppendU32(&packet, in->curveID);
3176+
TPM2_Packet_AppendU16(&packet, in->curveID);
31773177
TPM2_Packet_Finalize(&packet, st, TPM_CC_EC_Ephemeral);
31783178

31793179
/* send command */

src/tpm2_packet.c

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -263,7 +263,10 @@ void TPM2_Packet_ParseU16Buf(TPM2_Packet* packet, UINT16* size, byte* buf,
263263

264264
TPM2_Packet_ParseU16(packet, &wireSize);
265265
/* Clamp to remaining packet bytes to prevent pos from going past size */
266-
if (packet && wireSize > (UINT16)(packet->size - packet->pos)) {
266+
if (packet && (packet->pos >= packet->size)) {
267+
wireSize = 0;
268+
}
269+
else if (packet && wireSize > (UINT16)(packet->size - packet->pos)) {
267270
wireSize = (UINT16)(packet->size - packet->pos);
268271
}
269272
copySz = wireSize;
@@ -763,7 +766,7 @@ TPM_RC TPM2_Packet_ParseSensitiveCreate(TPM2_Packet* packet, int maxSize,
763766
{
764767
TPM_RC rc = TPM_RC_SUCCESS;
765768
UINT16 inSensSize;
766-
UINT16 dataSz;
769+
UINT16 dataSz = 0;
767770
int sensStartPos;
768771

769772
if (packet->pos + 2 > maxSize) {

src/tpm2_swtpm.c

Lines changed: 2 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -161,20 +161,12 @@ static TPM_RC SwTpmConnect(TPM2_CTX* ctx, const char* host, const char* port)
161161
struct termios tty;
162162
speed_t baud;
163163
int baudInt;
164-
#ifndef NO_GETENV
165-
const char* envDev;
166-
#endif
167164

168165
if (ctx == NULL) {
169166
return BAD_FUNC_ARG;
170167
}
171-
/* Allow runtime override via TPM2_SWTPM_HOST env var */
172-
#ifndef NO_GETENV
173-
envDev = getenv("TPM2_SWTPM_HOST");
174-
if (envDev != NULL && envDev[0] != '\0') {
175-
host = envDev;
176-
}
177-
#endif
168+
/* Note: TPM2_SWTPM_HOST env var is checked by caller
169+
* (TPM2_SWTPM_SendCommand) before invoking SwTpmConnect */
178170

179171
fd = open(host, O_RDWR | O_NOCTTY);
180172
if (fd < 0) {

0 commit comments

Comments
 (0)