aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeremy Boone <jeremy.boone@nccgroup.trust>2018-02-08 15:28:08 -0500
committerJames Morris <james.morris@microsoft.com>2018-02-26 18:43:46 -0500
commit3be23274755ee85771270a23af7691dc9b3a95db (patch)
tree5ab99a5a989b5e83010043345c2ed28f3fd760dc
parent6d24cd186d9fead3722108dec1b1c993354645ff (diff)
tpm: fix potential buffer overruns caused by bit glitches on the bus
Discrete TPMs are often connected over slow serial buses which, on some platforms, can have glitches causing bit flips. If a bit does flip it could cause an overrun if it's in one of the size parameters, so sanity check that we're not overrunning the provided buffer when doing a memcpy(). Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust> Cc: stable@vger.kernel.org Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: James Morris <james.morris@microsoft.com>
Diffstat
-rw-r--r--drivers/char/tpm/tpm-interface.c4
-rw-r--r--drivers/char/tpm/tpm2-cmd.c4
2 files changed, 8 insertions, 0 deletions
diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index 76df4fbcf089..9e80a953d693 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -1190,6 +1190,10 @@ int tpm_get_random(struct tpm_chip *chip, u8 *out, size_t max)
1190 break; 1190 break;
1191 1191
1192 recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len); 1192 recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len);
1193 if (recd > num_bytes) {
1194 total = -EFAULT;
1195 break;
1196 }
1193 1197
1194 rlength = be32_to_cpu(tpm_cmd.header.out.length); 1198 rlength = be32_to_cpu(tpm_cmd.header.out.length);
1195 if (rlength < offsetof(struct tpm_getrandom_out, rng_data) + 1199 if (rlength < offsetof(struct tpm_getrandom_out, rng_data) +
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index c17e75348a99..a700f8f9ead7 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -683,6 +683,10 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
683 if (!rc) { 683 if (!rc) {
684 data_len = be16_to_cpup( 684 data_len = be16_to_cpup(
685 (__be16 *) &buf.data[TPM_HEADER_SIZE + 4]); 685 (__be16 *) &buf.data[TPM_HEADER_SIZE + 4]);
686 if (data_len < MIN_KEY_SIZE || data_len > MAX_KEY_SIZE + 1) {
687 rc = -EFAULT;
688 goto out;
689 }
686 690
687 rlength = be32_to_cpu(((struct tpm2_cmd *)&buf) 691 rlength = be32_to_cpu(((struct tpm2_cmd *)&buf)
688 ->header.out.length); 692 ->header.out.length);
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-29 06:52:37 -0400