Commit 890962b8 authored Feb 08, 2018 by Jeremy Boone Committed by Greg Kroah-Hartman Mar 24, 2018

tpm: fix potential buffer overruns caused by bit glitches on the bus



commit 3be23274755ee85771270a23af7691dc9b3a95db upstream.

Discrete TPMs are often connected over slow serial buses which, on
some platforms, can have glitches causing bit flips.  If a bit does
flip it could cause an overrun if it's in one of the size parameters,
so sanity check that we're not overrunning the provided buffer when
doing a memcpy().

Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
Cc: stable@vger.kernel.org
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent a779add5

drivers/char/tpm/tpm-interface.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -1078,6 +1078,11 @@ int tpm_get_random(u32 chip_num, u8 *out, size_t max)
		break;

		recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len);
		if (recd > num_bytes) {
		total = -EFAULT;
		break;
		}

		memcpy(dest, tpm_cmd.params.getrandom_out.rng_data, recd);

		dest += recd;

drivers/char/tpm/tpm2-cmd.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -668,6 +668,11 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
		if (!rc) {
		data_len = be16_to_cpup(
		(__be16 *) &buf.data[TPM_HEADER_SIZE + 4]);
		if (data_len < MIN_KEY_SIZE \|\| data_len > MAX_KEY_SIZE + 1) {
		rc = -EFAULT;
		goto out;
		}

		data = &buf.data[TPM_HEADER_SIZE + 6];

		memcpy(payload->key, data, data_len - 1);
		@@ -675,6 +680,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
		payload->migratable = data[data_len - 1];
		}

		out:
		tpm_buf_destroy(&buf);
		return rc;
		}