[tpmdd-devel] tpm_crb: check for bad response size

Message ID 20170311004604.4442-1-jsnitsel@redhat.com
State New
Headers show

Commit Message

Jerry Snitselaar March 11, 2017, 12:46 a.m.
Make sure size of response buffer is at least 6 bytes, or
we will underflow and pass large size_t to memcpy_fromio().
This was encountered while testing earlier version of
locality patchset.

Fixes: 30fc8d138e912 ("tpm: TPM 2.0 CRB Interface")
Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
---
 drivers/char/tpm/tpm_crb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jarkko Sakkinen March 11, 2017, 8:48 a.m. | #1
On Fri, Mar 10, 2017 at 05:46:04PM -0700, Jerry Snitselaar wrote:
> Make sure size of response buffer is at least 6 bytes, or
> we will underflow and pass large size_t to memcpy_fromio().
> This was encountered while testing earlier version of
> locality patchset.
> 
> Fixes: 30fc8d138e912 ("tpm: TPM 2.0 CRB Interface")
> Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>

Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

/Jarkko

> ---
>  drivers/char/tpm/tpm_crb.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
> index 89dc8a176ff1..cda4f312d1c9 100644
> --- a/drivers/char/tpm/tpm_crb.c
> +++ b/drivers/char/tpm/tpm_crb.c
> @@ -236,7 +236,7 @@ static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count)
>  
>  	memcpy_fromio(buf, priv->rsp, 6);
>  	expected = be32_to_cpup((__be32 *) &buf[2]);
> -	if (expected > count)
> +	if (expected > count || expected < 6)
>  		return -EIO;
>  
>  	memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6);
> -- 
> 2.11.0.258.ge05806da9
> 

------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford

Patch

diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
index 89dc8a176ff1..cda4f312d1c9 100644
--- a/drivers/char/tpm/tpm_crb.c
+++ b/drivers/char/tpm/tpm_crb.c
@@ -236,7 +236,7 @@  static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count)
 
 	memcpy_fromio(buf, priv->rsp, 6);
 	expected = be32_to_cpup((__be32 *) &buf[2]);
-	if (expected > count)
+	if (expected > count || expected < 6)
 		return -EIO;
 
 	memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6);