[U-Boot,2/3] Infineon TPM: Fix potential buffer overruns

Message ID 1518476197-24517-3-git-send-email-jeremy.boone@gmail.com
State Accepted
Commit afe0e6bddf295d4514ab56cd76d5ec13a9c30b22
Delegated to: Tom Rini
Headers show
Series
  • Fix potential buffer overruns in TPM driver
Related show

Commit Message

Jeremy Boone Feb. 12, 2018, 10:56 p.m.
From: Jeremy Boone <jeremy.boone@nccgroup.trust>

Ensure that the Infineon I2C and SPI TPM driver performs adequate
validation of the length extracted from the TPM response header.
This patch prevents integer underflow when the length was too small,
which could lead to memory corruption.

Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
---
 drivers/tpm/tpm_tis_infineon.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Tom Rini March 5, 2018, 6:54 p.m. | #1
On Mon, Feb 12, 2018 at 05:56:36PM -0500, Jeremy Boone wrote:

> From: Jeremy Boone <jeremy.boone@nccgroup.trust>
> 
> Ensure that the Infineon I2C and SPI TPM driver performs adequate
> validation of the length extracted from the TPM response header.
> This patch prevents integer underflow when the length was too small,
> which could lead to memory corruption.
> 
> Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>

Applied to u-boot/master, thanks!

Patch

diff --git a/drivers/tpm/tpm_tis_infineon.c b/drivers/tpm/tpm_tis_infineon.c
index e3e20d8..41b748e 100644
--- a/drivers/tpm/tpm_tis_infineon.c
+++ b/drivers/tpm/tpm_tis_infineon.c
@@ -374,7 +374,8 @@  static int tpm_tis_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
 {
 	struct tpm_chip *chip = dev_get_priv(dev);
 	int size = 0;
-	int expected, status;
+	int status;
+	unsigned int expected;
 	int rc;
 
 	status = tpm_tis_i2c_status(dev);
@@ -394,7 +395,7 @@  static int tpm_tis_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
 	}
 
 	expected = get_unaligned_be32(buf + TPM_RSP_SIZE_BYTE);
-	if ((size_t)expected > count) {
+	if ((size_t)expected > count || (size_t)expected < TPM_HEADER_SIZE) {
 		debug("Error size=%x, expected=%x, count=%x\n", size, expected,
 		      count);
 		return -ENOSPC;