From patchwork Mon Feb 12 22:56:37 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeremy Boone <jeremy.boone@gmail.com>
X-Patchwork-Id: 872505
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.denx.de
	(client-ip=81.169.180.215; helo=lists.denx.de;
	envelope-from=u-boot-bounces@lists.denx.de;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="DFKl/c0X"; dkim-atps=neutral
Received: from lists.denx.de (dione.denx.de [81.169.180.215])
	by ozlabs.org (Postfix) with ESMTP id 3zgLlt2xC2z9sRW
	for <incoming@patchwork.ozlabs.org>;
	Tue, 13 Feb 2018 10:02:16 +1100 (AEDT)
Received: by lists.denx.de (Postfix, from userid 105)
	id 1CE3DC21F4D; Mon, 12 Feb 2018 23:00:48 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,
	RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H2,
	T_DKIM_INVALID autolearn=unavailable
	autolearn_force=no version=3.4.0
Received: from lists.denx.de (localhost [IPv6:::1])
	by lists.denx.de (Postfix) with ESMTP id 6CE3DC21F31;
	Mon, 12 Feb 2018 22:59:52 +0000 (UTC)
Received: by lists.denx.de (Postfix, from userid 105)
	id 4D6DFC21DD9; Mon, 12 Feb 2018 22:57:14 +0000 (UTC)
Received: from mail-wr0-f193.google.com (mail-wr0-f193.google.com
	[209.85.128.193])
	by lists.denx.de (Postfix) with ESMTPS id E2371C21D65
	for <u-boot@lists.denx.de>; Mon, 12 Feb 2018 22:57:13 +0000 (UTC)
Received: by mail-wr0-f193.google.com with SMTP id b52so16804833wrd.10
	for <u-boot@lists.denx.de>; Mon, 12 Feb 2018 14:57:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=lW2N3Tfy0ghhmhunXmTzA8a0bQHO0808YuryDu8Akg8=;
	b=DFKl/c0XP1MwGNXG+bLS6i/K4YA0C7ypCAowSIukNjIp7CmYBupszeplJuHLOaIthy
	feI9FBUiEieyHrrI3BxXoydr4Wi3r6N9GmPz7hwxw6zOtls8qk6BL/6j2Ojk4HfY5j4e
	O04S8VrejskHaO6WEH73DQfuv1Ye6adLveV6Z61e6kj21B5HPqyhJbEZCj+rY4ZyzeA+
	/f3MCbMSyzLEpiuKlRkqepgjPRjxYyUUAInFfQaXIgwL/MtFMQQvxqesBq61gXrdwoe6
	uL/17eJ7bKM5fStTc2oMpkGthhzrGF3p0esodJ8u2K7moaOgl5Zcd8iZ7FV4v88TKUJR
	gjzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=lW2N3Tfy0ghhmhunXmTzA8a0bQHO0808YuryDu8Akg8=;
	b=SCHwtDgc6kGP92B8hcESsN4bGdWaC98luLTtuNj55iep3yxLndLkHeV8XmDMNCaoAD
	ofQ3QS2mv4Dn8MM+/dfRSnGMK5pT5ffMKZuCr0kWZnJHPr0SahjM7EEI7V9iWx0uXR3f
	uJTTUYelrxLKtMvxYajyQDBCIGei80yK8OrXAKMP3kFvd6EFW0247PiLE3qp2UFBW1+b
	+/PiK+GFEwdw3ouT/ZadPwHUHGZtB4fmPEN2ph3bF7AS1RvOhvSkm5Ar+/gYhLOTlRBK
	LZLNV2dHXNwQIaiQw2Lh3qPytt5jEyEBaPNs2CiX6AJwEoNQ7f5aInPaqrCg3xlZdEsd
	p/9A==
X-Gm-Message-State: APf1xPCs4Q4OQAvGZA0czzpuaKO8B25lgIVJmODrhwp9fmWUBlCyC0dm
	fBWnwTsl+jSTyo6hnMR0/cKLXEfd
X-Google-Smtp-Source: 
 AH8x225YIYLVBvXTYpjVvy4bJCtegxMiKgmvliA3fTLGxSgyrBWkdWnbluifx0Gjxp/9eoyubnkTpw==
X-Received: by 10.223.163.207 with SMTP id
	m15mr11673104wrb.174.1518476233328;
	Mon, 12 Feb 2018 14:57:13 -0800 (PST)
Received: from localhost.localdomain ([195.95.131.65])
	by smtp.gmail.com with ESMTPSA id
	m191sm6184548wma.42.2018.02.12.14.57.12
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 12 Feb 2018 14:57:12 -0800 (PST)
From: Jeremy Boone <jeremy.boone@gmail.com>
To: u-boot@lists.denx.de
Date: Mon, 12 Feb 2018 17:56:37 -0500
Message-Id: <1518476197-24517-4-git-send-email-jeremy.boone@gmail.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1518476197-24517-1-git-send-email-jeremy.boone@gmail.com>
References: <1518476197-24517-1-git-send-email-jeremy.boone@gmail.com>
X-Mailman-Approved-At: Mon, 12 Feb 2018 22:59:48 +0000
Cc: Jeremy Boone <jeremy.boone@nccgroup.trust>
Subject: [U-Boot] [PATCH 3/3] Atmel TPM: Fix potential buffer overruns
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
MIME-Version: 1.0
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

From: Jeremy Boone <jeremy.boone@nccgroup.trust>

Ensure that the Atmel TPM driver performs sufficient
validation of the length returned in the TPM response header.
This patch prevents memory corruption if the header contains a
length value that is larger than the destination buffer.

Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
---
 drivers/tpm/tpm_atmel_twi.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/tpm/tpm_atmel_twi.c b/drivers/tpm/tpm_atmel_twi.c
index eba654b..4fd772d 100644
--- a/drivers/tpm/tpm_atmel_twi.c
+++ b/drivers/tpm/tpm_atmel_twi.c
@@ -106,13 +106,23 @@ static int tpm_atmel_twi_xfer(struct udevice *dev,
 		udelay(100);
 	}
 	if (!res) {
-		*recv_len = get_unaligned_be32(recvbuf + 2);
-		if (*recv_len > 10)
+		unsigned int hdr_recv_len;
+		hdr_recv_len = get_unaligned_be32(recvbuf + 2);
+		if (hdr_recv_len < 10) {
+			puts("tpm response header too small\n");
+			return -1;
+		} else if (hdr_recv_len > *recv_len) {
+			puts("tpm response length is bigger than receive buffer\n");
+			return -1;
+		} else {
+			*recv_len = hdr_recv_len;
 #ifndef CONFIG_DM_I2C
 			res = i2c_read(0x29, 0, 0, recvbuf, *recv_len);
 #else
 			res = dm_i2c_read(dev, 0, recvbuf, *recv_len);
 #endif
+
+		}
 	}
 	if (res) {
 		printf("i2c_read returned %d (rlen=%d)\n", res, *recv_len);