From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6D885C43387 for ; Wed, 16 Jan 2019 22:35:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 3A2D220652 for ; Wed, 16 Jan 2019 22:35:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733219AbfAPWf0 (ORCPT ); Wed, 16 Jan 2019 17:35:26 -0500 Received: from mga12.intel.com ([192.55.52.136]:19020 "EHLO mga12.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732911AbfAPWf0 (ORCPT ); Wed, 16 Jan 2019 17:35:26 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Jan 2019 14:35:26 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,487,1539673200"; d="scan'208";a="110456551" Received: from lhaqq1-mobl2.amr.corp.intel.com (HELO localhost) ([10.249.254.231]) by orsmga008.jf.intel.com with ESMTP; 16 Jan 2019 14:35:23 -0800 From: Jarkko Sakkinen To: stable@vger.kernel.org Cc: Jarkko Sakkinen Subject: [PATCH] tpm: fix response size validation in tpm_get_random() Date: Thu, 17 Jan 2019 00:35:18 +0200 Message-Id: <20190116223518.32328-1-jarkko.sakkinen@linux.intel.com> X-Mailer: git-send-email 2.19.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org commit 84b59f6487d82d3ab4247a099aba66d4d17e8b08 upstream When checking whether the response is large enough to be able to contain the received random bytes in tpm_get_random() and tpm2_get_random(), they fail to take account the header size, which should be added to the minimum size. This commit fixes this issue. Cc: stable@vger.kernel.org Fixes: c659af78eb7b ("tpm: Check size of response before accessing data") Signed-off-by: Jarkko Sakkinen --- For v4.14 and v4.18. Fixed a merge conflict. drivers/char/tpm/tpm-interface.c | 3 ++- drivers/char/tpm/tpm2-cmd.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index e8822b3d10e1..a107ee2466da 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -1323,7 +1323,8 @@ int tpm_get_random(struct tpm_chip *chip, u8 *out, size_t max) } rlength = be32_to_cpu(tpm_cmd.header.out.length); - if (rlength < offsetof(struct tpm_getrandom_out, rng_data) + + if (rlength < TPM_HEADER_SIZE + + offsetof(struct tpm_getrandom_out, rng_data) + recd) { total = -EFAULT; break; diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index d31b09099216..79b00bc4a7c2 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -371,7 +371,8 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max) recd = min_t(u32, be16_to_cpu(cmd.params.getrandom_out.size), num_bytes); rlength = be32_to_cpu(cmd.header.out.length); - if (rlength < offsetof(struct tpm2_get_random_out, buffer) + + if (rlength < TPM_HEADER_SIZE + + offsetof(struct tpm2_get_random_out, buffer) + recd) return -EFAULT; memcpy(dest, cmd.params.getrandom_out.buffer, recd); -- 2.19.1