SIGSEGV in tr_from_tpm_public

[rucoder]

I suddenly caused a SIGSEGC in libtss2-esys.so.0

rust-lldb output with unimportant stuff omitted

running 1 test
Process 2162779 stopped and restarted: thread 2 received signal: SIGCHLD
Process 2162779 stopped
* thread #2, name = 'tpm::tests::cre', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
    frame #0: 0x00007ffff7eaab60 libtss2-esys.so.0`Esys_TR_FromTPMPublic_Finish + 288
libtss2-esys.so.0`Esys_TR_FromTPMPublic_Finish:
->  0x7ffff7eaab60 <+288>: movl   (%rax), %edx
    0x7ffff7eaab62 <+290>: movq   -0x58(%rbp), %rax
    0x7ffff7eaab66 <+294>: movl   0x48(%rax), %esi
    0x7ffff7eaab69 <+297>: callq  0x7ffff7eaa7c0 ; Esys_TR_FromTPMPublic_Async
(lldb) bt
* thread #2, name = 'tpm::tests::cre', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
  * frame #0: 0x00007ffff7eaab60 libtss2-esys.so.0`Esys_TR_FromTPMPublic_Finish + 288
    frame #1: 0x00007ffff7eab185 libtss2-esys.so.0`Esys_TR_FromTPMPublic + 85
    frame #2: 0x00005555556f4b91 micro_eve-33764688d1f6d89d`tss_esapi::context::general_esys_tr::_$LT$impl$u20$tss_esapi..context..Context$GT$::tr_from_tpm_public::h4782c5a79ff95a56(self=0x00007ffff73fe558, tpm_handle=TpmHandle @ 0x00007ffff73fe358) at general_esys_tr.rs:247:17
    frame #3: 0x000055555560251f micro_eve-33764688d1f6d89d`micro_eve::tpm::tests::__test_context_wrapped_create_primary_key_sigsegv::h6c963b7cc02eada8(test_context=0x00007ffff73ff500) at tests.rs:759:26
    frame #4: 0x000055555560e875 micro_eve-33764688d1f6d89d`micro_eve::tpm::tests::create_primary_key_sigsegv::_$u7b$$u7b$closure$u7d$$u7d$::h9bd64473262dd6bd at tests.rs:633:1
    frame #5: 0x0000555555609c99 micro_eve-33764688d1f6d89d`std::panicking::try::do_call::ha96e6dc036e27b27(data="") at panicking.rs:557:40
    frame #6: 0x000055555560c6cb micro_eve-33764688d1f6d89d`__rust_try + 27

here is the code I use to reproduce. This is a full test I run in my repo, it uses test-context crate but only to track sessions to swtpm so let mut tpm_context = get_tpm_context_from_tcti(&test_context.get_tcti_name()).unwrap(); can be changed to any call to get Context

Tested on main branch as well

fn create_primary_key_sigsegv(test_context: &SwtpmContext) -> Result<()> {
    fn create_primary_key_on_tpm(ctx: &mut Context) -> Result<CreatePrimaryKeyResult> {
        let creation_pcrs = PcrSelectionList::builder()
            .with_selection(HashingAlgorithm::Sha256, &[PcrSlot::Slot7])
            .build()?;

        let attrs = ObjectAttributes::builder()
            .with_no_da(true)
            .with_decrypt(true)
            .with_sensitive_data_origin(true)
            .with_user_with_auth(true)
            .with_sign_encrypt(true)
            .build()
            .context("Error creating ObjectAttributes")?;

        let ecc_params = PublicEccParameters::builder()
            .with_curve(EccCurve::NistP256)
            //TODO: check following two parameters
            .with_ecc_scheme(EccScheme::Null)
            .with_key_derivation_function_scheme(KeyDerivationFunctionScheme::Null)
            .build()
            .context("Error creating PublicEccParameters")?;

        let public = Public::builder()
            .with_public_algorithm(PublicAlgorithm::Ecc)
            .with_ecc_parameters(ecc_params)
            .with_ecc_unique_identifier(EccPoint::default()) //TODO: this is not in GO
            .with_object_attributes(attrs)
            .with_name_hashing_algorithm(HashingAlgorithm::Sha256)
            .build()?;

        let key_handle = ctx.execute_with_session(Some(AuthSession::Password), |ctx| {
            ctx.create_primary(
                Hierarchy::Owner,
                public,
                None,
                None,
                None,
                Some(creation_pcrs),
            )
        });
        Ok(key_handle?)
    }

    let mut tpm_context = get_tpm_context_from_tcti(&test_context.get_tcti_name()).unwrap();
    tpm_context.set_sessions((Some(AuthSession::Password), None, None));

    // create 2 keys and make them persistent
    for i in 0..1 {
        let key_handle = create_primary_key_on_tpm(&mut tpm_context)?;
        let persistent_key_handle = PersistentTpmHandle::new(DEVICE_KEY_PERSISTENT_HANDLE - i)?;

        //debug!("Primary key created. Public {:#?}", key_handle.out_public);
        // make new key persistent
        let mut persistent_object_handle = tpm_context.evict_control(
            Provision::Owner,
            key_handle.key_handle.into(),
            persistent_key_handle.into(),
        )?;

        // TODO: this works, but should it be done?
        debug!("PH: {:#02x}", persistent_object_handle.value());
        tpm_context.tr_close(&mut persistent_object_handle)?;

        // the key is loaded into TPM and consumes resources. We need to flush it
        tpm_context.flush_context(key_handle.key_handle.into())?;
    }

    // PersistentTpmHandle implelemts Copy so we can treat it as integer and pass around without cloning
    let persistent_key_handle = PersistentTpmHandle::new(DEVICE_KEY_PERSISTENT_HANDLE)?;
    let _tpm_key_handle = tpm_context.tr_from_tpm_public(persistent_key_handle.into())?;

    Ok(())
}

[Superhepper]

What version of tss2-esapi are you using here?

[rucoder]

What version of tss2-esapi are you using here?

@Superhepper that was a tip of master at the time

[Superhepper]

And you used the same library both when you built and when you run it? The reason I am asking is because it seems to me that something is missing when this being executed. So my guesses would be because I do not think I have seen this kind of problem before that either tpm2-tss master had some kind of bug at the time or there is an ABI mismatch between the the library used to build that crate and libraries used to execute the crate.

Perhaps you could also try to run the test that fails and set the logging tpm-tss2 into TRACE mode. That would really spew out everything that is going on.