From 6aa9a3a16a9f4e93d67859c634742b00d743ecb5 Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Wed, 6 Feb 2019 17:26:55 +0200 Subject: [PATCH] tpm: fail tpm_validate_command() if chip->nr_commands is zero Now that tpm_validate_command() is only on TPM2 space code path, it should return -EINVAL in the case nr_command is zero, as it should never be. Not doing this could cause cc to be uninitialized. This commit fixes the issue. Fixes: a4bfd02c6b00 ("tpm: move tpm_validate_commmand() to tpm2-space.c") Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm2-space.c | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c index a9ced49546ad..4a2773c3374f 100644 --- a/drivers/char/tpm/tpm2-space.c +++ b/drivers/char/tpm/tpm2-space.c @@ -263,8 +263,9 @@ static int tpm2_map_command(struct tpm_chip *chip, u32 cc, u8 *cmd) return 0; } -static int tpm_validate_command(struct tpm_chip *chip, struct tpm_space *space, - const void *cmd, size_t len) +static int tpm_find_and_validate_cc(struct tpm_chip *chip, + struct tpm_space *space, + const void *cmd, size_t len) { const struct tpm_header *header = (const void *)cmd; int i; @@ -272,26 +273,24 @@ static int tpm_validate_command(struct tpm_chip *chip, struct tpm_space *space, u32 attrs; unsigned int nr_handles; - if (len < TPM_HEADER_SIZE) + if (len < TPM_HEADER_SIZE || !chip->nr_commands) return -EINVAL; - if (chip->nr_commands) { - cc = be32_to_cpu(header->ordinal); + cc = be32_to_cpu(header->ordinal); - i = tpm2_find_cc(chip, cc); - if (i < 0) { - dev_dbg(&chip->dev, "0x%04X is an invalid command\n", - cc); - return -EOPNOTSUPP; - } - - attrs = chip->cc_attrs_tbl[i]; - nr_handles = - 4 * ((attrs >> TPM2_CC_ATTR_CHANDLES) & GENMASK(2, 0)); - if (len < TPM_HEADER_SIZE + 4 * nr_handles) - goto err_len; + i = tpm2_find_cc(chip, cc); + if (i < 0) { + dev_dbg(&chip->dev, "0x%04X is an invalid command\n", + cc); + return -EOPNOTSUPP; } + attrs = chip->cc_attrs_tbl[i]; + nr_handles = + 4 * ((attrs >> TPM2_CC_ATTR_CHANDLES) & GENMASK(2, 0)); + if (len < TPM_HEADER_SIZE + 4 * nr_handles) + goto err_len; + return cc; err_len: dev_dbg(&chip->dev, "%s: insufficient command length %zu", __func__, @@ -308,7 +307,7 @@ int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u8 *cmd, if (!space) return 0; - cc = tpm_validate_command(chip, space, cmd, cmdsiz); + cc = tpm_find_and_validate_cc(chip, space, cmd, cmdsiz); if (cc < 0) return cc; -- 2.19.1