aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPeter Huewe <huewe.external.infineon@googlemail.com>2011-09-15 13:37:43 -0400
committerJames Morris <jmorris@namei.org>2011-09-22 19:46:29 -0400
commit6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3 (patch)
tree58530bdef4c29cb4bf127942428190e9a2756b2c
parentde69113ec1896443c732e8b812e8005fb44eeeeb (diff)
TPM: Call tpm_transmit with correct size
This patch changes the call of tpm_transmit by supplying the size of the userspace buffer instead of TPM_BUFSIZE. This got assigned CVE-2011-1161. [The first hunk didn't make sense given one could expect way less data than TPM_BUFSIZE, so added tpm_transmit boundary check over bufsiz instead The last parameter of tpm_transmit() reflects the amount of data expected from the device, and not the buffer size being supplied to it. It isn't ideal to parse it directly, so we just set it to the maximum the input buffer can handle and let the userspace API to do such job.] Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com> Cc: Stable Kernel <stable@kernel.org> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--drivers/char/tpm/tpm.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
index caf8012ef47c..1fe979335835 100644
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -383,6 +383,9 @@ static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf,
383 u32 count, ordinal; 383 u32 count, ordinal;
384 unsigned long stop; 384 unsigned long stop;
385 385
386 if (bufsiz > TPM_BUFSIZE)
387 bufsiz = TPM_BUFSIZE;
388
386 count = be32_to_cpu(*((__be32 *) (buf + 2))); 389 count = be32_to_cpu(*((__be32 *) (buf + 2)));
387 ordinal = be32_to_cpu(*((__be32 *) (buf + 6))); 390 ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
388 if (count == 0) 391 if (count == 0)