[U-Boot,1/3] STMicro TPM: Fix potential buffer overruns

Message ID 1518476197-24517-2-git-send-email-jeremy.boone@gmail.com
State Accepted
Commit 12e0ab327d1a6711ee40ac9ade2e189d1092e962
Delegated to: Tom Rini
Headers show
Series
  • Fix potential buffer overruns in TPM driver
Related show

Commit Message

Jeremy Boone Feb. 12, 2018, 10:56 p.m.
From: Jeremy Boone <jeremy.boone@nccgroup.trust>

This patch prevents integer underflow when the length was too small,
which could lead to memory corruption.

Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
---
 drivers/tpm/tpm_tis_st33zp24_i2c.c | 5 +++--
 drivers/tpm/tpm_tis_st33zp24_spi.c | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

Comments

Tom Rini March 5, 2018, 6:54 p.m. | #1
On Mon, Feb 12, 2018 at 05:56:35PM -0500, Jeremy Boone wrote:

> From: Jeremy Boone <jeremy.boone@nccgroup.trust>
> 
> This patch prevents integer underflow when the length was too small,
> which could lead to memory corruption.
> 
> Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>

Applied to u-boot/master, thanks!

Patch

diff --git a/drivers/tpm/tpm_tis_st33zp24_i2c.c b/drivers/tpm/tpm_tis_st33zp24_i2c.c
index c8d0125..245218f 100644
--- a/drivers/tpm/tpm_tis_st33zp24_i2c.c
+++ b/drivers/tpm/tpm_tis_st33zp24_i2c.c
@@ -303,7 +303,8 @@  static int st33zp24_i2c_recv_data(struct udevice *dev, u8 *buf, size_t count)
 static int st33zp24_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
 {
 	struct tpm_chip *chip = dev_get_priv(dev);
-	int size, expected;
+	int size;
+	unsigned int expected;
 
 	if (!chip)
 		return -ENODEV;
@@ -320,7 +321,7 @@  static int st33zp24_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
 	}
 
 	expected = get_unaligned_be32(buf + 2);
-	if (expected > count) {
+	if (expected > count || expected < TPM_HEADER_SIZE) {
 		size = -EIO;
 		goto out;
 	}
diff --git a/drivers/tpm/tpm_tis_st33zp24_spi.c b/drivers/tpm/tpm_tis_st33zp24_spi.c
index dcf55ee..c4c5e05 100644
--- a/drivers/tpm/tpm_tis_st33zp24_spi.c
+++ b/drivers/tpm/tpm_tis_st33zp24_spi.c
@@ -431,7 +431,8 @@  static int st33zp24_spi_recv_data(struct udevice *dev, u8 *buf, size_t count)
 static int st33zp24_spi_recv(struct udevice *dev, u8 *buf, size_t count)
 {
 	struct tpm_chip *chip = dev_get_priv(dev);
-	int size, expected;
+	int size;
+	unsigned int expected;
 
 	if (!chip)
 		return -ENODEV;
@@ -448,7 +449,7 @@  static int st33zp24_spi_recv(struct udevice *dev, u8 *buf, size_t count)
 	}
 
 	expected = get_unaligned_be32(buf + 2);
-	if (expected > count) {
+	if (expected > count || expected < TPM_HEADER_SIZE) {
 		size = -EIO;
 		goto out;
 	}