Re: [PATCH v2] tpm: fix event_size output in tpm1_binary_bios_measurements_show

Wed, 10 Jun 2026 13:42:06 -0700 

On Fri, May 22, 2026 at 03:55:03PM +0300, Jarkko Sakkinen wrote:
> On Fri, May 22, 2026 at 11:44:38AM +0200, Thorsten Blum wrote:
> > Commit 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements")
> > split the output to write the endian-converted event header first and
> > then the variable-length event data.
> > 
> > However, the split was at sizeof(struct tcpa_event) - 1, even though
> > event_data was a zero-length array, and later a flexible array member,
> > both of which already excluded the event data.
> > 
> > Therefore, the current code writes the first three bytes of event_size
> > from the endian-converted header and then the last byte from the raw
> > header, which can emit a corrupted event_size on PPC64, where
> > do_endian_conversion() maps to be32_to_cpu().
> > 
> > Split one byte later to write the full endian-converted header first,
> > followed by the variable-length event->event_data.
> > 
> > Fixes: 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements")
> > Cc: [email protected]
> > Signed-off-by: Thorsten Blum <[email protected]>
> > ---
> > Changes in v2:
> > - Minimal fix without using seq_write()
> > - v1: 
> > https://lore.kernel.org/lkml/[email protected]/
> > ---
> >  drivers/char/tpm/eventlog/tpm1.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/char/tpm/eventlog/tpm1.c 
> > b/drivers/char/tpm/eventlog/tpm1.c
> > index e7913b2853d5..0397e3361020 100644
> > --- a/drivers/char/tpm/eventlog/tpm1.c
> > +++ b/drivers/char/tpm/eventlog/tpm1.c
> > @@ -236,12 +236,12 @@ static int tpm1_binary_bios_measurements_show(struct 
> > seq_file *m, void *v)
> >  
> >     temp_ptr = (char *) &temp_event;
> >  
> > -   for (i = 0; i < (sizeof(struct tcpa_event) - 1) ; i++)
> > +   for (i = 0; i < sizeof(struct tcpa_event); i++)
> >             seq_putc(m, temp_ptr[i]);
> >  
> >     temp_ptr = (char *) v;
> >  
> > -   for (i = (sizeof(struct tcpa_event) - 1);
> > +   for (i = sizeof(struct tcpa_event);
> >          i < (sizeof(struct tcpa_event) + temp_event.event_size); i++)
> >             seq_putc(m, temp_ptr[i]);
> >  
> 
> This was really good catch, thank you. I'll apply in a minute.

Has this already been applied somewhere?

Thanks,
Thorsten

Reply via email to