Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack Smashing Detected error on tpm2_createpolicy 3.2.0 #1632

Closed
dnoliver opened this issue Jul 31, 2019 · 6 comments
Closed

Stack Smashing Detected error on tpm2_createpolicy 3.2.0 #1632

dnoliver opened this issue Jul 31, 2019 · 6 comments

Comments

@dnoliver
Copy link
Contributor

Clevis with tpm2-tools-3.1.4-1.fc29.x86_64 worked fine, as noted in latchset/clevis#102

Clevis with tpm2-tools-3.2.0-1.fc30.x86_64 is running into this issue, as noted in latchset/clevis#109

Error Message

[root@fedora-server-1 ~]# clevis luks bind -d /dev/nvme0n1p1 tpm2 '{"pcr_bank":"sha1","pcr_ids":"0,1,2,3,4,5,6,7,8,9"}'

*** stack smashing detected ***: <unknown> terminated
/usr/bin/clevis-encrypt-tpm2: line 133: 10496 Aborted                 (core dumped) tpm2_createpolicy -Q -P -L "$pcr_bank":"$pcr_ids" -F $TMP/pcr.digest -f $TMP/pcr.policy

Versions

[root@fedora-server-1 ~]# rpm -qa clevis* tpm* cryptsetup* luks* libjose*

tpm2-tools-3.2.0-1.fc30.x86_64
tpm2-tss-2.2.3-1.fc30.x86_64
cryptsetup-libs-2.1.0-3.fc30.x86_64
cryptsetup-2.1.0-3.fc30.x86_64
clevis-luks-11-5.fc30.x86_64
libjose-10-4.fc30.x86_64
clevis-11-5.fc30.x86_64
luksmeta-9-2.fc29.x86_64

@martinezjavier suggested that this is a problem with the tpm2_createpolicy command in latchset/clevis#109 (comment)

I remember that there was some build with "hardening" enabled done lately, could that be causing this issue?
@diabonas diabonas mentioned this issue Aug 1, 2019
Merged
@diabonas
Copy link
Member

diabonas commented Aug 1, 2019

This is the same issue as #778: it is not possible to use more than 8 PCRs due to limitations of the TPM 2.0 specification. Of course tpm2_createpolicy shouldn't crash regardless, and this was fixed on master in #780, which produces the much more helpful error message

ERROR: Number of PCR is limited to 8
ERROR: Could not build pcr policy
ERROR: Unable to run tpm2_createpolicy

I have therefore opened #1633 to backport this fix to the 3.X branch as well.

@diabonas
Copy link
Member

diabonas commented Aug 1, 2019

This was already reported for tpm2-tools-3.1.4-1.fc30.x86_64 in #1389, but the commit 9685ea2 referenced there doesn't seem to be sufficient to fix the issue: I can reproduce the crash with the Fedora binaries as well as with my self-compiled binaries based on the current 3.X branch. After applying the fix in #1633, the program exits cleanly with an error message instead of crashing.

@williamcroberts
Copy link
Member

Does #1633 and #1639 fix the issue?

@williamcroberts
Copy link
Member

We should also probably add a test for this...

@dnoliver
Copy link
Contributor Author

dnoliver commented Aug 2, 2019

@williamcroberts yes, there is no crash now.
From clevis, I get a Command 'clevis-encrypt-tpm-{.......}' is invalid, instead of the previous stack smashing detected problem.

@dnoliver dnoliver mentioned this issue Aug 2, 2019
Closed
@williamcroberts
Copy link
Member

williamcroberts commented Aug 2, 2019
edited
Loading

@dnoliver I think the parser logic is limited to 8 pcrs as @martinezjavier mentioned. We could improve the parser to not suck, if someone wants to do that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dnoliver @williamcroberts @diabonas