Re: [PATCH v7 01/11] tpm: Cap the number of PCR banks

[Lai, Yi]

On Thu, Nov 27, 2025 at 03:54:33PM +0200, Jarkko Sakkinen wrote:
> From: Jarkko Sakkinen <jarkko....@opinsys.com>
>
> tpm2_get_pcr_allocation() does not cap any upper limit for the number of
> banks. Cap the limit to eight banks so that out of bounds values coming
> from external I/O cause on only limited harm.
>
> Cc: Roberto Sassu <robert...@huawei.com>
> Fixes: bcfff8384f6c ("tpm: dynamically allocate the allocated_banks array")
> Reviewed-By: Jonathan McDowell <noo...@meta.com>
> Signed-off-by: Jarkko Sakkinen <jarkko....@opinsys.com>
> ---
> v7:
> - In Ryzen desktop there is total three banks so yep, eight is probably
> much safer bet than four banks. Fixed the commit message as per remark
> from Jonathan:
>
> https://lore.kernel.org/linux-integrity/aPYg1N0T...@earth.li/#t
>
> And with that added also reviewed-by.
> v6
> - No changes.
> v5:
> - No changes.
> v4:
> - Revert spurious changes from include/linux/tpm.h.
> - Increase TPM2_MAX_BANKS to 8.
> - Rename TPM2_MAX_BANKS as TPM2_MAX_PCR_BANKS for the sake of clarity.
> v3:
> - Wrote a more clear commit message.
> - Fixed pr_err() message.
> v2:
> - A new patch.
> ---
> drivers/char/tpm/tpm-chip.c | 13 +++++++++----
> drivers/char/tpm/tpm.h | 1 -
> drivers/char/tpm/tpm1-cmd.c | 25 -------------------------
> drivers/char/tpm/tpm2-cmd.c | 8 +++-----
> include/linux/tpm.h | 8 +++++---
> 5 files changed, 17 insertions(+), 38 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
> index e25daf2396d3..6cb25862688f 100644
> --- a/drivers/char/tpm/tpm-chip.c
> +++ b/drivers/char/tpm/tpm-chip.c
> @@ -559,14 +559,19 @@ static int tpm_add_hwrng(struct tpm_chip *chip)
>
> static int tpm_get_pcr_allocation(struct tpm_chip *chip)
> {
> - int rc;
> + int rc = 0;
>
> if (tpm_is_firmware_upgrade(chip))
> return 0;
>
> - rc = (chip->flags & TPM_CHIP_FLAG_TPM2) ?
> - tpm2_get_pcr_allocation(chip) :
> - tpm1_get_pcr_allocation(chip);
> + if (!(chip->flags & TPM_CHIP_FLAG_TPM2)) {
> + chip->allocated_banks[0].alg_id = TPM_ALG_SHA1;
> + chip->allocated_banks[0].digest_size = hash_digest_size[HASH_ALGO_SHA1];
> + chip->allocated_banks[0].crypto_id = HASH_ALGO_SHA1;
> + chip->nr_allocated_banks = 1;
> + } else {
> + rc = tpm2_get_pcr_allocation(chip);
> + }
>
> if (rc > 0)
> return -ENODEV;
> diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
> index 2726bd38e5ac..a37712c02e44 100644
> --- a/drivers/char/tpm/tpm.h
> +++ b/drivers/char/tpm/tpm.h
> @@ -252,7 +252,6 @@ int tpm1_pcr_read(struct tpm_chip *chip, u32 pcr_idx, u8 *res_buf);
> ssize_t tpm1_getcap(struct tpm_chip *chip, u32 subcap_id, cap_t *cap,
> const char *desc, size_t min_cap_length);
> int tpm1_get_random(struct tpm_chip *chip, u8 *out, size_t max);
> -int tpm1_get_pcr_allocation(struct tpm_chip *chip);
> unsigned long tpm_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal);
> int tpm_pm_suspend(struct device *dev);
> int tpm_pm_resume(struct device *dev);
> diff --git a/drivers/char/tpm/tpm1-cmd.c b/drivers/char/tpm/tpm1-cmd.c
> index 11088bda4e68..708bc553437b 100644
> --- a/drivers/char/tpm/tpm1-cmd.c
> +++ b/drivers/char/tpm/tpm1-cmd.c
> @@ -786,28 +786,3 @@ int tpm1_pm_suspend(struct tpm_chip *chip, u32 tpm_suspend_pcr)
>
> return rc;
> }
> -
> -/**
> - * tpm1_get_pcr_allocation() - initialize the allocated bank
> - * @chip: TPM chip to use.
> - *
> - * The function initializes the SHA1 allocated bank to extend PCR
> - *
> - * Return:
> - * * 0 on success,
> - * * < 0 on error.
> - */
> -int tpm1_get_pcr_allocation(struct tpm_chip *chip)
> -{
> - chip->allocated_banks = kcalloc(1, sizeof(*chip->allocated_banks),
> - GFP_KERNEL);
> - if (!chip->allocated_banks)
> - return -ENOMEM;
> -
> - chip->allocated_banks[0].alg_id = TPM_ALG_SHA1;
> - chip->allocated_banks[0].digest_size = hash_digest_size[HASH_ALGO_SHA1];
> - chip->allocated_banks[0].crypto_id = HASH_ALGO_SHA1;
> - chip->nr_allocated_banks = 1;
> -
> - return 0;
> -}
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index 7d77f6fbc152..97501c567c34 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -538,11 +538,9 @@ ssize_t tpm2_get_pcr_allocation(struct tpm_chip *chip)
>
> nr_possible_banks = be32_to_cpup(
> (__be32 *)&buf.data[TPM_HEADER_SIZE + 5]);
> -
> - chip->allocated_banks = kcalloc(nr_possible_banks,
> - sizeof(*chip->allocated_banks),
> - GFP_KERNEL);
> - if (!chip->allocated_banks) {
> + if (nr_possible_banks > TPM2_MAX_PCR_BANKS) {
> + pr_err("tpm: unexpected number of banks: %u > %u",
> + nr_possible_banks, TPM2_MAX_PCR_BANKS);
> rc = -ENOMEM;
> goto out;
> }
> diff --git a/include/linux/tpm.h b/include/linux/tpm.h
> index dc0338a783f3..eb0ff071bcae 100644
> --- a/include/linux/tpm.h
> +++ b/include/linux/tpm.h
> @@ -26,7 +26,9 @@
> #include <crypto/aes.h>
>
> #define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */
> -#define TPM_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
> +
> +#define TPM2_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
> +#define TPM2_MAX_PCR_BANKS 8
>
> struct tpm_chip;
> struct trusted_key_payload;
> @@ -68,7 +70,7 @@ enum tpm2_curves {
>
> struct tpm_digest {
> u16 alg_id;
> - u8 digest[TPM_MAX_DIGEST_SIZE];
> + u8 digest[TPM2_MAX_DIGEST_SIZE];
> } __packed;
>
> struct tpm_bank_info {
> @@ -189,7 +191,7 @@ struct tpm_chip {
> unsigned int groups_cnt;
>
> u32 nr_allocated_banks;
> - struct tpm_bank_info *allocated_banks;
> + struct tpm_bank_info allocated_banks[TPM2_MAX_PCR_BANKS];
> #ifdef CONFIG_ACPI
> acpi_handle acpi_dev_handle;
> char ppi_version[TPM_PPI_VERSION_LEN + 1];
> --
> 2.52.0
>

Hi Jarkko Sakkinen,

Greetings!

I used Syzkaller and found that there is KASAN: invalid-free in tpm_dev_release in linux-tpmdd branch tpmdd-next-6.19-rc1-v3.

After bisection and the first bad commit is:
"
83f6ace27d21 tpm: Cap the number of PCR banks
"

All detailed into can be found at:
https://github.com/laifryiee/syzkaller_logs/tree/main/251202_193851_tpm_dev_release
Syzkaller repro code:
https://github.com/laifryiee/syzkaller_logs/tree/main/251202_193851_tpm_dev_release/repro.c
Syzkaller repro syscall steps:
https://github.com/laifryiee/syzkaller_logs/tree/main/251202_193851_tpm_dev_release/repro.prog
Syzkaller report:
https://github.com/laifryiee/syzkaller_logs/tree/main/251202_193851_tpm_dev_release/repro.report
Kconfig(make olddefconfig):
https://github.com/laifryiee/syzkaller_logs/tree/main/251202_193851_tpm_dev_release/kconfig_origin
Bisect info:
https://github.com/laifryiee/syzkaller_logs/tree/main/251202_193851_tpm_dev_release/bisect_info.log
bzImage:
https://github.com/laifryiee/syzkaller_logs/raw/refs/heads/main/251202_193851_tpm_dev_release/bzImage_tpmdd-next-6.19-rc1-v3
Issue dmesg:
https://github.com/laifryiee/syzkaller_logs/blob/main/251202_193851_tpm_dev_release/tpmdd-next-6.19-rc1-v3_dmesg.log

"
[ 18.405712] ==================================================================
[ 18.406210] BUG: KASAN: invalid-free in tpm_dev_release+0xdc/0x110
[ 18.406657] Free of addr ff11000011572d38 by task repro/729
[ 18.407037]
[ 18.407156] CPU: 1 UID: 0 PID: 729 Comm: repro Not tainted 6.18.0-tpmdd-next-6+ #1 PREEMPT(voluntary)
[ 18.407167] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.q4
[ 18.407173] Call Trace:
[ 18.407177] <TASK>
[ 18.407180] dump_stack_lvl+0xea/0x150
[ 18.407197] print_report+0xce/0x610
[ 18.407210] ? kasan_complete_mode_report_info+0x40/0x200
[ 18.407220] ? tpm_dev_release+0xdc/0x110
[ 18.407232] kasan_report_invalid_free+0xa7/0xd0
[ 18.407245] ? tpm_dev_release+0xdc/0x110
[ 18.407259] ? tpm_dev_release+0xdc/0x110
[ 18.407271] check_slab_allocation+0x128/0x140
[ 18.407281] __kasan_slab_pre_free+0xd/0x20
[ 18.407291] kfree+0x119/0x620
[ 18.407300] ? tpm_dev_release+0xdc/0x110
[ 18.407311] ? do_wait_intr_irq+0x1e0/0x230
[ 18.407326] ? __pfx_tpm_dev_release+0x10/0x10
[ 18.407340] tpm_dev_release+0xdc/0x110
[ 18.407351] ? tpm_dev_release+0xdc/0x110
[ 18.407363] device_release+0xb6/0x260
[ 18.407374] kobject_put+0x22d/0x550
[ 18.407383] put_device+0x29/0x40
[ 18.407391] vtpm_proxy_fops_release+0x152/0x1e0
[ 18.407403] ? __pfx_vtpm_proxy_fops_release+0x10/0x10
[ 18.407412] __fput+0x41f/0xb70
[ 18.407435] ____fput+0x22/0x30
[ 18.407449] task_work_run+0x19e/0x2b0
[ 18.407467] ? __pfx_task_work_run+0x10/0x10
[ 18.407480] ? __sanitizer_cov_trace_const_cmp4+0x1a/0x20
[ 18.407490] ? switch_task_namespaces+0xdd/0x130
[ 18.407502] do_exit+0x893/0x28c0
[ 18.407519] ? do_group_exit+0x1d8/0x2c0
[ 18.407532] ? __pfx_do_exit+0x10/0x10
[ 18.407545] ? __this_cpu_preempt_check+0x21/0x30
[ 18.407555] ? _raw_spin_unlock_irq+0x2c/0x60
[ 18.407571] ? lockdep_hardirqs_on+0x89/0x110
[ 18.407589] do_group_exit+0xe4/0x2c0
[ 18.407602] __x64_sys_exit_group+0x4d/0x60
[ 18.407615] x64_sys_call+0x21a2/0x21b0
[ 18.407627] do_syscall_64+0x6d/0x450
[ 18.407641] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 18.407650] RIP: 0033:0x7f1331118a4d
[ 18.407658] Code: Unable to access opcode bytes at 0x7f1331118a23.
[ 18.407662] RSP: 002b:00007ffec868c668 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 18.407671] RAX: ffffffffffffffda RBX: 00007f13311f69e0 RCX: 00007f1331118a4d
[ 18.407677] RDX: 00000000000000e7 RSI: ffffffffffffff80 RDI: 0000000000000000
[ 18.407683] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000020
[ 18.407688] R10: 00007ffec868c510 R11: 0000000000000246 R12: 00007f13311f69e0
[ 18.407694] R13: 00007f13311fbf00 R14: 0000000000000001 R15: 00007f13311fbee8
[ 18.407707] </TASK>
[ 18.407710]
[ 18.423610] Allocated by task 729:
[ 18.423853] kasan_save_stack+0x2c/0x60
[ 18.424122] kasan_save_track+0x18/0x40
[ 18.424392] kasan_save_alloc_info+0x3c/0x50
[ 18.424690] __kasan_kmalloc+0x88/0xa0
[ 18.424954] __kmalloc_cache_noprof+0x2b1/0x840
[ 18.425271] tpm_chip_alloc+0x56/0x4c0
[ 18.425540] vtpmx_fops_ioctl+0x2d0/0x830
[ 18.425819] __x64_sys_ioctl+0x1bf/0x220
[ 18.426100] x64_sys_call+0x1280/0x21b0
[ 18.426366] do_syscall_64+0x6d/0x450
[ 18.426630] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 18.426980]
[ 18.427098] The buggy address belongs to the object at ff11000011572000
[ 18.427098] which belongs to the cache kmalloc-4k of size 4096
[ 18.427931] The buggy address is located 3384 bytes inside of
[ 18.427931] 3528-byte region [ff11000011572000, ff11000011572dc8)
[ 18.428720]
[ 18.428836] The buggy address belongs to the physical page:
[ 18.429210] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11570
[ 18.429744] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 18.430258] anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff)
[ 18.430754] page_type: f5(slab)
[ 18.430982] raw: 000fffffc0000040 ff1100000ac38140 0000000000000000 dead000000000001
[ 18.431505] raw: 0000000000000000 0000000080040004 00000000f5000000 0000000000000000
[ 18.432025] head: 000fffffc0000040 ff1100000ac38140 0000000000000000 dead000000000001
[ 18.432549] head: 0000000000000000 0000000080040004 00000000f5000000 0000000000000000
[ 18.433077] head: 000fffffc0000003 ffd4000000455c01 00000000ffffffff 00000000ffffffff
[ 18.433605] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 18.434126] page dumped because: kasan: bad access detected
[ 18.434504]
[ 18.434621] Memory state around the buggy address:
[ 18.434950] ff11000011572c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 18.435438] ff11000011572c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 18.435925] >ff11000011572d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 18.436399] ^
[ 18.436744] ff11000011572d80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[ 18.437229] ff11000011572e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 18.437709] ==================================================================
"

Hope this cound be insightful to you.

Regards,
Yi Lai

---

If you don't need the following environment to reproduce the problem or if you
already have one reproduced environment, please ignore the following information.

How to reproduce:
git clone https://gitlab.com/xupengfe/repro_vm_env.git
cd repro_vm_env
tar -xvf repro_vm_env.tar.gz
cd repro_vm_env; ./start3.sh // it needs qemu-system-x86_64 and I used v7.1.0
// start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
// You could change the bzImage_xxx as you want
// Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd \" for different qemu version
You could use below command to log in, there is no password for root.
ssh -p 10023 root@localhost

After login vm(virtual machine) successfully, you could transfer reproduced
binary to the vm by below way, and reproduce the problem in vm:
gcc -pthread -o repro repro.c
scp -P 10023 repro root@localhost:/root/

Get the bzImage for target kernel:
Please use target kconfig and copy it to kernel_src/.config
make olddefconfig
make -jx bzImage //x should equal or less than cpu num your pc has

Fill the bzImage file into above start3.sh to load the target kernel in vm.


Tips:
If you already have qemu-system-x86_64, please ignore below info.
If you want to install qemu v7.1.0 version:
git clone https://github.com/qemu/qemu.git
cd qemu
git checkout -f v7.1.0
mkdir build
cd build
yum install -y ninja-build.x86_64
yum -y install libslirp-devel.x86_64
../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp
make
make install

[Jarkko Sakkinen]

Thank you. I updated the patch in my branch:

https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/commit/?id=bb731e948843a947b2b7e51552c1387e2c377e03

Possible to re-test (I can add your tested-by afterwards)?

BR, Jarkko

[Lai, Yi]

Re-test using the latest branch. Issue cannot be reproduced using the
same binary.

Regards,
Yi Lai

[Jarkko Sakkinen]

I mean tested-by AND reported-by.

BR, Jarkko

[Jarkko Sakkinen]

Duh. Only tested-by since the patch is not yet in mainline (sorry) :-)

BR, Jarkko

[Jarkko Sakkinen]

Thank you!

BR, Jarkko