Re: [PATCH] tpm: fix event_size output in tpm1_binary_bios_measurements_show

Thu, 21 May 2026 17:30:39 -0700 

On Thu, May 21, 2026 at 11:36:39AM +0200, Thorsten Blum wrote:
> Commit 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements")
> split the output to write the endian-converted event header first and
> then the variable-length event data.
> 
> However, the split was at sizeof(struct tcpa_event) - 1, even though
> event_data was a zero-length array, and later a flexible array member,
> both of which already excluded the event data.
> 
> Therefore, the current code writes the first three bytes of event_size
> from the endian-converted header and then the last byte from the raw
> header, which can emit a corrupted event_size on PPC64, where
> do_endian_conversion() maps to be32_to_cpu().
> 
> Use seq_write() to write the full endian-converted header, followed by
> the variable-length event->event_data.
> 
> Drop the obvious comment while at it.
> 
> Fixes: 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements")
> Cc: [email protected]
> Signed-off-by: Thorsten Blum <[email protected]>
> ---
>  drivers/char/tpm/eventlog/tpm1.c | 16 ++--------------
>  1 file changed, 2 insertions(+), 14 deletions(-)

Got it, I think you're probably right.

> 
> diff --git a/drivers/char/tpm/eventlog/tpm1.c 
> b/drivers/char/tpm/eventlog/tpm1.c
> index e7913b2853d5..291720e89d91 100644
> --- a/drivers/char/tpm/eventlog/tpm1.c
> +++ b/drivers/char/tpm/eventlog/tpm1.c
> @@ -224,29 +224,17 @@ static int tpm1_binary_bios_measurements_show(struct 
> seq_file *m, void *v)
>  {
>       struct tcpa_event *event = v;
>       struct tcpa_event temp_event;
> -     char *temp_ptr;
> -     int i;
>  
>       memcpy(&temp_event, event, sizeof(struct tcpa_event));
>  
> -     /* convert raw integers for endianness */

spurious change

>       temp_event.pcr_index = do_endian_conversion(event->pcr_index);
>       temp_event.event_type = do_endian_conversion(event->event_type);
>       temp_event.event_size = do_endian_conversion(event->event_size);
>  
> -     temp_ptr = (char *) &temp_event;
> -
> -     for (i = 0; i < (sizeof(struct tcpa_event) - 1) ; i++)
> -             seq_putc(m, temp_ptr[i]);

Why changing condition does not fix the bug? This could be just +-1 line
change.

> -
> -     temp_ptr = (char *) v;
> -
> -     for (i = (sizeof(struct tcpa_event) - 1);
> -          i < (sizeof(struct tcpa_event) + temp_event.event_size); i++)
> -             seq_putc(m, temp_ptr[i]);
> +     seq_write(m, &temp_event, sizeof(temp_event));
> +     seq_write(m, event->event_data, temp_event.event_size);
>  
>       return 0;
> -
>  }
>  
>  static int tpm1_ascii_bios_measurements_show(struct seq_file *m, void *v)

BR, Jarkko

Reply via email to