CI and peer review fixes

dgarske · dgarske · commit c371610bf83e · 2026-04-15T11:06:35.000-07:00
diff --git a/.github/workflows/fwtpm-test.yml b/.github/workflows/fwtpm-test.yml
@@ -389,20 +389,36 @@ jobs:
               CFLAGS="${{ matrix.extra_cflags }} -g -O1"
           make
 
+      - name: Start fwtpm_server
+        run: |
+          rm -f fwtpm_nv.bin
+          ./src/fwtpm/fwtpm_server > /tmp/fwtpm_server.log 2>&1 &
+          echo $! > /tmp/fwtpm_server.pid
+          sleep 1
+          kill -0 $(cat /tmp/fwtpm_server.pid)
+
       - name: Run unit.test under valgrind
         run: |
           valgrind --error-exitcode=1 --leak-check=full \
                    --errors-for-leak-kinds=definite \
                    --show-leak-kinds=definite \
                    ./tests/unit.test
 
+      - name: Stop fwtpm_server
+        if: always()
+        run: |
+          if [ -f /tmp/fwtpm_server.pid ]; then
+            kill $(cat /tmp/fwtpm_server.pid) 2>/dev/null || true
+          fi
+
       - name: Upload failure logs
         if: failure()
         uses: actions/upload-artifact@v4
         with:
           name: fwtpm-valgrind-logs-${{ matrix.name }}
           path: |
             /tmp/fwtpm_check_*.log
+            /tmp/fwtpm_server.log
             test-suite.log
             tests/*.log
             config.log
diff --git a/src/fwtpm/fwtpm_tis.c b/src/fwtpm/fwtpm_tis.c
@@ -411,6 +411,7 @@ int FWTPM_TIS_ServerLoop(FWTPM_CTX* ctx)
 {
     FWTPM_TIS_HAL* hal;
     FWTPM_TIS_REGS* regs;
+    TPM_RC retRc = TPM_RC_SUCCESS;
     int rc;
 #ifndef _WIN32
     struct sigaction sa;
@@ -441,7 +442,10 @@ int FWTPM_TIS_ServerLoop(FWTPM_CTX* ctx)
             continue; /* EINTR or transient, retry */
         }
         if (rc < 0) {
-            break; /* fatal error */
+            /* Fatal HAL error — propagate so the caller can distinguish
+             * this from a clean shutdown via ctx->running=0. */
+            retRc = TPM_RC_FAILURE;
+            break;
         }
 
         /* Process the register access */
@@ -453,7 +457,7 @@ int FWTPM_TIS_ServerLoop(FWTPM_CTX* ctx)
         }
     }
 
-    return TPM_RC_SUCCESS;
+    return retRc;
 }
 
 #endif /* WOLFTPM_FWTPM && WOLFTPM_FWTPM_TIS */
diff --git a/src/fwtpm/fwtpm_tis_shm.c b/src/fwtpm/fwtpm_tis_shm.c
@@ -68,6 +68,11 @@ static int TisShmInit(void* ctx, FWTPM_TIS_REGS** regs)
 {
     FWTPM_TIS_SHM_CTX* shm = (FWTPM_TIS_SHM_CTX*)ctx;
     int fd;
+    /* Threat model: fwtpm_server is a dev/test tool and is NOT intended to
+     * run setuid or as a privileged daemon. O_NOFOLLOW + mode 0600 is
+     * sufficient for non-privileged execution. We intentionally avoid
+     * O_EXCL so the server can recover from a prior unclean shutdown
+     * without manual cleanup of the shm file. */
     int openFlags = O_CREAT | O_RDWR | O_TRUNC;
 
 #ifdef O_NOFOLLOW
diff --git a/src/tpm2_packet.c b/src/tpm2_packet.c
@@ -60,18 +60,26 @@ void TPM2_Packet_U64ToByteArray(UINT64 val, BYTE* b)
     }
 }
 
-/* Big-endian byte-array load helpers */
+/* Big-endian byte-array load helpers. Mirror the NULL-guard convention of the
+ * U*ToByteArray store helpers above so callers get 0 for a NULL input rather
+ * than a crash. */
 UINT16 TPM2_Packet_ByteArrayToU16(const BYTE* b)
 {
+    if (b == NULL)
+        return 0;
     return (UINT16)(((UINT16)b[0] << 8) | b[1]);
 }
 UINT32 TPM2_Packet_ByteArrayToU32(const BYTE* b)
 {
+    if (b == NULL)
+        return 0;
     return ((UINT32)b[0] << 24) | ((UINT32)b[1] << 16) |
            ((UINT32)b[2] << 8)  | b[3];
 }
 UINT64 TPM2_Packet_ByteArrayToU64(const BYTE* b)
 {
+    if (b == NULL)
+        return 0;
     return ((UINT64)b[0] << 56) | ((UINT64)b[1] << 48) |
            ((UINT64)b[2] << 40) | ((UINT64)b[3] << 32) |
            ((UINT64)b[4] << 24) | ((UINT64)b[5] << 16) |
@@ -258,7 +266,9 @@ void TPM2_Packet_ParseBytes(TPM2_Packet* packet, byte* buf, int size)
 void TPM2_Packet_ParseU16Buf(TPM2_Packet* packet, UINT16* size, byte* buf,
     UINT16 maxBufSz)
 {
-    UINT16 wireSize;
+    /* Init to 0 so a NULL packet (TPM2_Packet_ParseU16 is a no-op in that
+     * case) leaves wireSize well-defined for the arithmetic below. */
+    UINT16 wireSize = 0;
     UINT16 copySz;
 
     TPM2_Packet_ParseU16(packet, &wireSize);
@@ -809,6 +819,9 @@ TPM_RC TPM2_Packet_ParseSensitiveCreate(TPM2_Packet* packet, int maxSize,
     UINT16 dataSz = 0;
     int sensStartPos;
 
+    if (packet == NULL || userAuth == NULL) {
+        return BAD_FUNC_ARG;
+    }
     if (packet->pos + 2 > maxSize) {
         rc = TPM_RC_COMMAND_SIZE;
     }
diff --git a/tests/unit_tests.c b/tests/unit_tests.c
@@ -910,7 +910,7 @@ static void test_TPM2_HmacCompute(void)
         digest, &digestSz);
     AssertIntEQ(0, rc);
     AssertIntEQ(32, (int)digestSz);
-    AssertIntEQ(XMEMCMP(digest, hmacExp, sizeof(hmacExp)), 0);
+    AssertIntEQ(0, XMEMCMP(digest, hmacExp, sizeof(hmacExp)));
 
     /* Test HmacVerify with correct expected value */
     rc = TPM2_HmacVerify(TPM_ALG_SHA256,

Original file line number	Diff line number	Diff line change
`@@ -411,6 +411,7 @@ int FWTPM_TIS_ServerLoop(FWTPM_CTX* ctx)`
`411`	`411`	`{`
`412`	`412`	`FWTPM_TIS_HAL* hal;`
`413`	`413`	`FWTPM_TIS_REGS* regs;`
	`414`	`+ TPM_RC retRc = TPM_RC_SUCCESS;`
`414`	`415`	`int rc;`
`415`	`416`	`#ifndef _WIN32`
`416`	`417`	`struct sigaction sa;`
`@@ -441,7 +442,10 @@ int FWTPM_TIS_ServerLoop(FWTPM_CTX* ctx)`
`441`	`442`	`continue; /* EINTR or transient, retry */`
`442`	`443`	`}`
`443`	`444`	`if (rc < 0) {`
`444`		`- break; /* fatal error */`
	`445`	`+ /* Fatal HAL error — propagate so the caller can distinguish`
	`446`	`+ * this from a clean shutdown via ctx->running=0. */`
	`447`	`+ retRc = TPM_RC_FAILURE;`
	`448`	`+ break;`
`445`	`449`	`}`
`446`	`450`
`447`	`451`	`/* Process the register access */`
`@@ -453,7 +457,7 @@ int FWTPM_TIS_ServerLoop(FWTPM_CTX* ctx)`
`453`	`457`	`}`
`454`	`458`	`}`
`455`	`459`
`456`		`- return TPM_RC_SUCCESS;`
	`460`	`+ return retRc;`
`457`	`461`	`}`
`458`	`462`
`459`	`463`	`#endif /* WOLFTPM_FWTPM && WOLFTPM_FWTPM_TIS */`
Original file line number	Diff line number	Diff line change
`@@ -60,18 +60,26 @@ void TPM2_Packet_U64ToByteArray(UINT64 val, BYTE* b)`
`60`	`60`	`}`
`61`	`61`	`}`
`62`	`62`
`63`		`-/* Big-endian byte-array load helpers */`
	`63`	`+/* Big-endian byte-array load helpers. Mirror the NULL-guard convention of the`
	`64`	`+ * U*ToByteArray store helpers above so callers get 0 for a NULL input rather`
	`65`	`+ * than a crash. */`
`64`	`66`	`UINT16 TPM2_Packet_ByteArrayToU16(const BYTE* b)`
`65`	`67`	`{`
	`68`	`+ if (b == NULL)`
	`69`	`+ return 0;`
`66`	`70`	`return (UINT16)(((UINT16)b[0] << 8) \| b[1]);`
`67`	`71`	`}`
`68`	`72`	`UINT32 TPM2_Packet_ByteArrayToU32(const BYTE* b)`
`69`	`73`	`{`
	`74`	`+ if (b == NULL)`
	`75`	`+ return 0;`
`70`	`76`	`return ((UINT32)b[0] << 24) \| ((UINT32)b[1] << 16) \|`
`71`	`77`	`((UINT32)b[2] << 8) \| b[3];`
`72`	`78`	`}`
`73`	`79`	`UINT64 TPM2_Packet_ByteArrayToU64(const BYTE* b)`
`74`	`80`	`{`
	`81`	`+ if (b == NULL)`
	`82`	`+ return 0;`
`75`	`83`	`return ((UINT64)b[0] << 56) \| ((UINT64)b[1] << 48) \|`
`76`	`84`	`((UINT64)b[2] << 40) \| ((UINT64)b[3] << 32) \|`
`77`	`85`	`((UINT64)b[4] << 24) \| ((UINT64)b[5] << 16) \|`
`@@ -258,7 +266,9 @@ void TPM2_Packet_ParseBytes(TPM2_Packet* packet, byte* buf, int size)`
`258`	`266`	`void TPM2_Packet_ParseU16Buf(TPM2_Packet* packet, UINT16* size, byte* buf,`
`259`	`267`	`UINT16 maxBufSz)`
`260`	`268`	`{`
`261`		`- UINT16 wireSize;`
	`269`	`+ /* Init to 0 so a NULL packet (TPM2_Packet_ParseU16 is a no-op in that`
	`270`	`+ * case) leaves wireSize well-defined for the arithmetic below. */`
	`271`	`+ UINT16 wireSize = 0;`
`262`	`272`	`UINT16 copySz;`
`263`	`273`
`264`	`274`	`TPM2_Packet_ParseU16(packet, &wireSize);`
`@@ -809,6 +819,9 @@ TPM_RC TPM2_Packet_ParseSensitiveCreate(TPM2_Packet* packet, int maxSize,`
`809`	`819`	`UINT16 dataSz = 0;`
`810`	`820`	`int sensStartPos;`
`811`	`821`
	`822`	`+ if (packet == NULL \|\| userAuth == NULL) {`
	`823`	`+ return BAD_FUNC_ARG;`
	`824`	`+ }`
`812`	`825`	`if (packet->pos + 2 > maxSize) {`
`813`	`826`	`rc = TPM_RC_COMMAND_SIZE;`
`814`	`827`	`}`