| Message ID | 20161024155439.GA27123@google.com |
|---|---|
| State | New |
| Headers | show |
On Mon, Oct 24, 2016 at 08:54:39AM -0700, Josh Zimmerman wrote: > If the TPM we're connecting to uses a static burst count, it will report > a burst count of zero throughout the response read. However, get_burstcount > assumes that a response of zero indicates that the TPM is not ready to > receive more data. In this case, it returns a negative error code, which > is passed on to tpm_tis_{write,read}_bytes as a u16, causing > them to read/write far too many bytes. > > This patch checks for negative return codes and bails out from recv_data > and tpm_tis_send_data. > > Fixes: 1107d065fdf1 huh? No signed off? <formletter> This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read Documentation/stable_kernel_rules.txt for how to do this properly. </formletter> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
On Mon, Oct 24, 2016 at 10:32 AM, Greg KH <greg@kroah.com> wrote: > On Mon, Oct 24, 2016 at 08:54:39AM -0700, Josh Zimmerman wrote: >> If the TPM we're connecting to uses a static burst count, it will report >> a burst count of zero throughout the response read. However, get_burstcount >> assumes that a response of zero indicates that the TPM is not ready to >> receive more data. In this case, it returns a negative error code, which >> is passed on to tpm_tis_{write,read}_bytes as a u16, causing >> them to read/write far too many bytes. >> >> This patch checks for negative return codes and bails out from recv_data >> and tpm_tis_send_data. >> >> Fixes: 1107d065fdf1 > > huh? > > No signed off? > > <formletter> > > This is not the correct way to submit patches for inclusion in the > stable kernel tree. Please read Documentation/stable_kernel_rules.txt > for how to do this properly. > > </formletter> Oh, I apologize. I was unfamiliar with the stable@ list, and was asked in v1 of my patch to add it to CCs. I was unaware that there were further prerequisites to doing so. From reading stable_kernel_rules.txt's requirements, it doesn't seem like this is yet ready to be sent here, and perhaps it doesn't belong on the stable@ list at all. Moving stable@ to BCC. Josh ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c index e3bf31b..aed92b3 100644 --- a/drivers/char/tpm/tpm_tis_core.c +++ b/drivers/char/tpm/tpm_tis_core.c @@ -186,6 +186,12 @@ static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count) chip->timeout_c, &priv->read_queue, true) == 0) { burstcnt = min_t(int, get_burstcount(chip), count - size); + if (burstcnt < 0) { + dev_err(&chip->dev, + "Unable to read burstcount in %s:%d (%s)\n", + __FILE__, __LINE__, __func__); + return burstcnt; + } rc = tpm_tis_read_bytes(priv, TPM_DATA_FIFO(priv->locality), burstcnt, buf + size); @@ -272,6 +278,13 @@ static int tpm_tis_send_data(struct tpm_chip *chip, u8 *buf, size_t len) while (count < len - 1) { burstcnt = min_t(int, get_burstcount(chip), len - count - 1); + if (burstcnt < 0) { + dev_err(&chip->dev, + "Unable to read burstcount in %s:%d (%s)\n", + __FILE__, __LINE__, __func__); + rc = burstcnt; + goto out_err; + } rc = tpm_tis_write_bytes(priv, TPM_DATA_FIFO(priv->locality), burstcnt, buf + count); if (rc < 0)
If the TPM we're connecting to uses a static burst count, it will report a burst count of zero throughout the response read. However, get_burstcount assumes that a response of zero indicates that the TPM is not ready to receive more data. In this case, it returns a negative error code, which is passed on to tpm_tis_{write,read}_bytes as a u16, causing them to read/write far too many bytes. This patch checks for negative return codes and bails out from recv_data and tpm_tis_send_data. Fixes: 1107d065fdf1 --- drivers/char/tpm/tpm_tis_core.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)