tpmdd-devel.lists.sourceforge.net archive mirror
 help / color / mirror / Atom feed
* [PATCH] tpm_crb: check for bad response size
@ 2017-03-11  0:46 Jerry Snitselaar
       [not found] ` <20170311004604.4442-1-jsnitsel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
  0 siblings, 1 reply; 2+ messages in thread
From: Jerry Snitselaar @ 2017-03-11  0:46 UTC (permalink / raw)
  To: tpmdd-devel
  Cc: linux-kernel, Jarkko Sakkinen, Jason Gunthorpe, Jerry Snitselaar

Make sure size of response buffer is at least 6 bytes, or
we will underflow and pass large size_t to memcpy_fromio().
This was encountered while testing earlier version of
locality patchset.

Fixes: 30fc8d138e912 ("tpm: TPM 2.0 CRB Interface")
Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
---
 drivers/char/tpm/tpm_crb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
index 89dc8a176ff1..cda4f312d1c9 100644
--- a/drivers/char/tpm/tpm_crb.c
+++ b/drivers/char/tpm/tpm_crb.c
@@ -236,7 +236,7 @@ static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count)
 
 	memcpy_fromio(buf, priv->rsp, 6);
 	expected = be32_to_cpup((__be32 *) &buf[2]);
-	if (expected > count)
+	if (expected > count || expected < 6)
 		return -EIO;
 
 	memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6);
-- 
2.11.0.258.ge05806da9

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] tpm_crb: check for bad response size
       [not found] ` <20170311004604.4442-1-jsnitsel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
@ 2017-03-11  8:48   ` Jarkko Sakkinen
  0 siblings, 0 replies; 2+ messages in thread
From: Jarkko Sakkinen @ 2017-03-11  8:48 UTC (permalink / raw)
  To: Jerry Snitselaar
  Cc: tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA

On Fri, Mar 10, 2017 at 05:46:04PM -0700, Jerry Snitselaar wrote:
> Make sure size of response buffer is at least 6 bytes, or
> we will underflow and pass large size_t to memcpy_fromio().
> This was encountered while testing earlier version of
> locality patchset.
> 
> Fixes: 30fc8d138e912 ("tpm: TPM 2.0 CRB Interface")
> Signed-off-by: Jerry Snitselaar <jsnitsel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>

/Jarkko

> ---
>  drivers/char/tpm/tpm_crb.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
> index 89dc8a176ff1..cda4f312d1c9 100644
> --- a/drivers/char/tpm/tpm_crb.c
> +++ b/drivers/char/tpm/tpm_crb.c
> @@ -236,7 +236,7 @@ static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count)
>  
>  	memcpy_fromio(buf, priv->rsp, 6);
>  	expected = be32_to_cpup((__be32 *) &buf[2]);
> -	if (expected > count)
> +	if (expected > count || expected < 6)
>  		return -EIO;
>  
>  	memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6);
> -- 
> 2.11.0.258.ge05806da9
> 

------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-03-11  8:48 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-11  0:46 [PATCH] tpm_crb: check for bad response size Jerry Snitselaar
     [not found] ` <20170311004604.4442-1-jsnitsel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-03-11  8:48   ` Jarkko Sakkinen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).