mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-03-08 20:58:20 +03:00
tpm2: add some extra validation of device string before using it
Let's add some extra validation before constructing and using the .so name to load. This isn't really security sensitive, given that we used secure_getenv() to get the device string (and it thus should have been come from a trusted source) but let's better be safe than sorry. (cherry picked from commit 50a085143fa8f5dd6b6b3cef8a6ea2ec7c53ed0d) (cherry picked from commit 542dbc623e00d55224db30280d90f48d51cdf8f8)
This commit is contained in:
Lennart Poettering
Zbigniew Jędrzejewski-Szmek
parent
e1248c8474
commit
ca5b66b5a3
@ -172,15 +172,27 @@ static int tpm2_init(const char *device, struct tpm2_context *ret) {
|
||||
|
||||
param = strchr(device, ':');
|
||||
if (param) {
|
||||
/* Syntax #1: Pair of driver string and arbitrary parameter */
|
||||
driver = strndupa_safe(device, param - device);
|
||||
if (isempty(driver))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name is empty, refusing.");
|
||||
|
||||
param++;
|
||||
} else {
|
||||
} else if (path_is_absolute(device) && path_is_valid(device)) {
|
||||
/* Syntax #2: TPM device node */
|
||||
driver = "device";
|
||||
param = device;
|
||||
}
|
||||
} else
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid TPM2 driver string, refusing.");
|
||||
|
||||
log_debug("Using TPM2 TCTI driver '%s' with device '%s'.", driver, param);
|
||||
|
||||
fn = strjoina("libtss2-tcti-", driver, ".so.0");
|
||||
|
||||
/* Better safe than sorry, let's refuse strings that cannot possibly be valid driver early, before going to disk. */
|
||||
if (!filename_is_valid(fn))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver);
|
||||
|
||||
dl = dlopen(fn, RTLD_NOW);
|
||||
if (!dl)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to load %s: %s", fn, dlerror());
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user