Commit 6bb320ca authored Feb 08, 2018 by Jeremy Boone Committed by James Morris Feb 26, 2018

tpm_tis: fix potential buffer overruns caused by bit glitches on the bus



Discrete TPMs are often connected over slow serial buses which, on
some platforms, can have glitches causing bit flips.  In all the
driver _recv() functions, we need to use a u32 to unmarshal the
response size, otherwise a bit flip of the 31st bit would cause the
expected variable to go negative, which would then try to read a huge
amount of data.  Also sanity check that the expected amount of data is
large enough for the TPM header.

Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
Cc: stable@vger.kernel.org
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.morris@microsoft.com>

parent 4c3579f6

drivers/char/tpm/tpm_tis_core.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -270,7 +270,8 @@ static int tpm_tis_recv(struct tpm_chip chip, u8 buf, size_t count)
		{
		struct tpm_tis_data *priv = dev_get_drvdata(&chip->dev);
		int size = 0;
		int expected, status;
		int status;
		u32 expected;

		if (count < TPM_HEADER_SIZE) {
		size = -EIO;
		@@ -285,7 +286,7 @@ static int tpm_tis_recv(struct tpm_chip chip, u8 buf, size_t count)
		}

		expected = be32_to_cpu((__be32 ) (buf + 2));
		if (expected > count) {
		if (expected > count \|\| expected < TPM_HEADER_SIZE) {
		size = -EIO;
		goto out;
		}