Add two buffer size validations to prevent buffer overflows in
tpm_inf_recv():
1. Validate that the provided buffer can hold at least the 4-byte header
before attempting to read it.
2. Validate that the buffer is large enough to hold the data size reported
by the TPM before reading the payload.
Without these checks, a malicious or malfunctioning TPM could cause buffer
overflows by reporting data sizes larger than the provided buffer, leading
to memory corruption.
Fixes: ebb81fdb3dd0 ("[PATCH] tpm: Support for Infineon TPM")
Signed-off-by: Shahriyar Jalayeri <[email protected]>
---
drivers/char/tpm/tpm_infineon.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/char/tpm/tpm_infineon.c b/drivers/char/tpm/tpm_infineon.c
index 7638b65b8..0fe4193a3 100644
--- a/drivers/char/tpm/tpm_infineon.c
+++ b/drivers/char/tpm/tpm_infineon.c
@@ -250,6 +250,10 @@ static int tpm_inf_recv(struct tpm_chip *chip, u8 * buf,
size_t count)
number_of_wtx = 0;
recv_begin:
+ /* expect at least 1-byte VL header, 1-byte ctrl-tag, 2-byte data size */
+ if (count < 4)
+ return -EIO;
+
/* start receiving header */
for (i = 0; i < 4; i++) {
ret = wait(chip, STAT_RDA);
@@ -268,6 +272,9 @@ static int tpm_inf_recv(struct tpm_chip *chip, u8 * buf,
size_t count)
/* size of the data received */
size = ((buf[2] << 8) | buf[3]);
+ if (size + 6 > count)
+ return -EIO;
+
for (i = 0; i < size; i++) {
wait(chip, STAT_RDA);
buf[i] = tpm_data_in(RDFIFO);
--
2.43.0
