Add two buffer size validations to prevent buffer overflows in tpm_inf_recv():
1. Validate that the provided buffer can hold at least the 4-byte header before attempting to read it. 2. Validate that the buffer is large enough to hold the data size reported by the TPM before reading the payload. Without these checks, a malicious or malfunctioning TPM could cause buffer overflows by reporting data sizes larger than the provided buffer, leading to memory corruption. The error messages include both the expected and actual buffer sizes to indicate that the operation is aborted. Signed-off-by: Shahriyar Jalayeri <[email protected]> --- drivers/char/tpm/tpm_infineon.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm_infineon.c b/drivers/char/tpm/tpm_infineon.c index 7638b65b8..385bac46a 100644 --- a/drivers/char/tpm/tpm_infineon.c +++ b/drivers/char/tpm/tpm_infineon.c @@ -247,11 +247,20 @@ static int tpm_inf_recv(struct tpm_chip *chip, u8 * buf, size_t count) int i; int ret; u32 size = 0; + u32 header_size = 4; number_of_wtx = 0; recv_begin: + if (count < header_size) { + dev_err(&chip->dev, + "Buffer too small (count=%zd, header_size=%u), " + "operation aborted\n", + count, header_size); + return -EIO; + } + /* start receiving header */ - for (i = 0; i < 4; i++) { + for (i = 0; i < header_size; i++) { ret = wait(chip, STAT_RDA); if (ret) return -EIO; @@ -268,6 +277,14 @@ static int tpm_inf_recv(struct tpm_chip *chip, u8 * buf, size_t count) /* size of the data received */ size = ((buf[2] << 8) | buf[3]); + if (size > count) { + dev_err(&chip->dev, + "Buffer too small for incoming data " + "(count=%zd, size=%u), operation aborted\n", + count, size); + return -EIO; + } + for (i = 0; i < size; i++) { wait(chip, STAT_RDA); buf[i] = tpm_data_in(RDFIFO); -- 2.43.0
