Commit 3be23274 authored Feb 08, 2018 by Jeremy Boone Committed by James Morris Feb 26, 2018

tpm: fix potential buffer overruns caused by bit glitches on the bus



Discrete TPMs are often connected over slow serial buses which, on
some platforms, can have glitches causing bit flips.  If a bit does
flip it could cause an overrun if it's in one of the size parameters,
so sanity check that we're not overrunning the provided buffer when
doing a memcpy().

Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
Cc: stable@vger.kernel.org
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.morris@microsoft.com>

parent 6d24cd18

drivers/char/tpm/tpm-interface.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -1190,6 +1190,10 @@ int tpm_get_random(struct tpm_chip chip, u8 out, size_t max)
		break;

		recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len);
		if (recd > num_bytes) {
		total = -EFAULT;
		break;
		}

		rlength = be32_to_cpu(tpm_cmd.header.out.length);
		if (rlength < offsetof(struct tpm_getrandom_out, rng_data) +

drivers/char/tpm/tpm2-cmd.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -683,6 +683,10 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
		if (!rc) {
		data_len = be16_to_cpup(
		(__be16 *) &buf.data[TPM_HEADER_SIZE + 4]);
		if (data_len < MIN_KEY_SIZE \|\| data_len > MAX_KEY_SIZE + 1) {
		rc = -EFAULT;
		goto out;
		}

		rlength = be32_to_cpu(((struct tpm2_cmd *)&buf)
		->header.out.length);