Message ID | 1518476197-24517-3-git-send-email-jeremy.boone@gmail.com |
---|---|
State | Accepted |
Commit | afe0e6bddf295d4514ab56cd76d5ec13a9c30b22 |
Delegated to: | Tom Rini |
Headers | show |
Series | Fix potential buffer overruns in TPM driver | expand |
On Mon, Feb 12, 2018 at 05:56:36PM -0500, Jeremy Boone wrote: > From: Jeremy Boone <jeremy.boone@nccgroup.trust> > > Ensure that the Infineon I2C and SPI TPM driver performs adequate > validation of the length extracted from the TPM response header. > This patch prevents integer underflow when the length was too small, > which could lead to memory corruption. > > Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust> Applied to u-boot/master, thanks!
diff --git a/drivers/tpm/tpm_tis_infineon.c b/drivers/tpm/tpm_tis_infineon.c index e3e20d8..41b748e 100644 --- a/drivers/tpm/tpm_tis_infineon.c +++ b/drivers/tpm/tpm_tis_infineon.c @@ -374,7 +374,8 @@ static int tpm_tis_i2c_recv(struct udevice *dev, u8 *buf, size_t count) { struct tpm_chip *chip = dev_get_priv(dev); int size = 0; - int expected, status; + int status; + unsigned int expected; int rc; status = tpm_tis_i2c_status(dev); @@ -394,7 +395,7 @@ static int tpm_tis_i2c_recv(struct udevice *dev, u8 *buf, size_t count) } expected = get_unaligned_be32(buf + TPM_RSP_SIZE_BYTE); - if ((size_t)expected > count) { + if ((size_t)expected > count || (size_t)expected < TPM_HEADER_SIZE) { debug("Error size=%x, expected=%x, count=%x\n", size, expected, count); return -ENOSPC;