search

tpm2-software / tpm2-tools

The source repository for the Trusted Platform Module (TPM2.0) tools
https://tpm2-software.github.io
720 stars 379 forks source link

tpm2 combined tool segfaults when no subcommand is specified #2811

Closed thwalker3 closed 3 years ago

thwalker3 commented 3 years ago

tSimply running 'tpm2' is presumably expected to output the list of possible tpm2 subcommands but instead segfaults because argv[optind] runs off of the end of the array.

GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/tpm2...Reading symbols from /usr/lib/debug/.build-id/8d/451cc348194332a54c8b5d18ba0e29ba8b259d.debug...done.
done.
[New LWP 658380]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `tpm2'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000055d615b0951f in tpm2_handle_options (argc=2, argv=0x7ffe03cf10c0, tool_opts=0x0, flags=0x0, tcti=0x0) at lib/tpm2_options.c:301
301                     if (!strcmp(argv[optind - 1], "--help=no-man") ||
(gdb) bt
#0  0x000055d615b0951f in tpm2_handle_options (argc=2, argv=0x7ffe03cf10c0, tool_opts=0x0, flags=0x0, tcti=0x0) at lib/tpm2_options.c:301
#1  0x000055d615acfc31 in main (argc=1, argv=0x7ffe03cf11f8) at tools/tpm2_tool.c:156
(gdb) list
296                 /*
297                  * argv[0] = "tool name"
298                  * argv[1] = "--help=no/man" argv[2] = 0
299                  */
300                 if (argv[optind - 1]) {
301                     if (!strcmp(argv[optind - 1], "--help=no-man") ||
302                         !strcmp(argv[optind - 1], "-h=no-man") ||
303                         (argv[optind] && !strcmp(argv[optind], "no-man"))) {
304                         manpager = false;
305                         optind++;
(gdb) p argv[optind]
$3 = 0x756e654700000016 <error: Cannot access memory at address 0x756e654700000016>
idesai commented 3 years ago

@thwalker3, thanks for reporting. Can you please share what version of the tools?

thwalker3 commented 3 years ago

I was still back on 5.0 and it looks like this was fixed in https://github.com/tpm2-software/tpm2-tools/commit/fb1e0d98eca5279bf33304deedd9019b0130393a. Sorry for the noise!