From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753239AbdATUOa (ORCPT ); Fri, 20 Jan 2017 15:14:30 -0500 Received: from mga14.intel.com ([192.55.52.115]:2345 "EHLO mga14.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752324AbdATUO3 (ORCPT ); Fri, 20 Jan 2017 15:14:29 -0500 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,259,1477983600"; d="scan'208";a="1085414811" Date: Fri, 20 Jan 2017 22:14:23 +0200 From: Jarkko Sakkinen To: Stefan Berger Cc: tpmdd-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v7] tpm: Check size of response before accessing data Message-ID: <20170120201423.aky44svd3vejxxis@intel.com> References: <1484828352-23202-1-git-send-email-stefanb@linux.vnet.ibm.com> <20170120133630.ld5shdqhquxzd7sn@intel.com> <20170120162145.lrdcrf5iw6d6otd3@intel.com> <20170120175522.zsotpu22be3nozbl@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170120175522.zsotpu22be3nozbl@intel.com> Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo User-Agent: Mutt/1.6.2-neo (2016-08-21) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 20, 2017 at 07:55:22PM +0200, Jarkko Sakkinen wrote: > On Fri, Jan 20, 2017 at 06:21:58PM +0200, Jarkko Sakkinen wrote: > > On Fri, Jan 20, 2017 at 03:36:30PM +0200, Jarkko Sakkinen wrote: > > > On Thu, Jan 19, 2017 at 07:19:12AM -0500, Stefan Berger wrote: > > > > Make sure that we have not received less bytes than what is indicated > > > > in the header of the TPM response. Also, check the number of bytes in > > > > the response before accessing its data. > > > > > > > > Signed-off-by: Stefan Berger > > > > > > Reviewed-by: Jarkko Sakkinen > > > > Oops. I found some odd stuff after all so hold on for a moment. > > I could do these updates myself probably... > > > > > > ssize_t tpm_transmit_cmd(struct tpm_chip *chip, const void *cmd, > > > > - int len, unsigned int flags, const char *desc) > > > > + size_t len, size_t min_rsp_body_length, > > > > + unsigned int flags, const char *desc) > > > > BTW, maybe the cmd_length would be actually a better idea because > > it gets mixes witht local variable. > > > > > > { > > > > const struct tpm_output_header *header; > > > > int err; > > > > + ssize_t length; > > > > Maybe it would make sense to name this as rsp_length. > > > > > > > > > > - len = tpm_transmit(chip, (const u8 *)cmd, len, flags); > > > > - if (len < 0) > > > > - return len; > > > > - else if (len < TPM_HEADER_SIZE) > > > > + length = tpm_transmit(chip, (const u8 *)cmd, len, flags); > > > > + if (length < 0) > > > > + return length; > > > > + else if (length < TPM_HEADER_SIZE) > > > > return -EFAULT; > > > > > > > > header = cmd; > > > > + if (length < be32_to_cpu(header->length)) > > > > + return -EFAULT; > > > > Why '<' and not '!='? In what legit case length would be larger? > > > > > > > > > > err = be32_to_cpu(header->return_code); > > > > if (err != 0 && desc) > > > > dev_err(&chip->dev, "A TPM error (%d) occurred %s\n", err, > > > > desc); > > > > + if (err) > > > > + return err; > > > > > > > > - return err; > > > > + if (be32_to_cpu(header->length) < > > > > + min_rsp_body_length + TPM_HEADER_SIZE) > > > > + return -EFAULT; > > > > Why couldn't you use 'length' here? > > > > /Jarkko > > Anyway, > > Tested-by: Jarkko Sakkinen Stefan, I updated the patch by doing '!=' check and renaming parameters to 'buf' and 'bufsiz' as they are in tpm_transmit(). The current namesd did not make sense because you pass a buffer that will also will store the response. Can you check that after my updates it looks OK to you? /Jarkko