On Thu, Nov 7, 2019 at 3:14 AM Stefan Berger <stef...@linux.vnet.ibm.com> wrote:
>
> When querying a TPM 2.0 for its PCRs, make sure that we get enough bytes
> from it in a response that did not indicate a failure. Basically we are
> defending against a TPM 2.0 sending responses that are not compliant to
> the specs.
>
> Signed-off-by: Stefan Berger <stef...@linux.ibm.com>
Reviewed-by: Marc-André Lureau <marcandre.lur...@redhat.com>
> ---
> src/tcgbios.c | 13 +++++++++++--
> 1 file changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/src/tcgbios.c b/src/tcgbios.c
> index 2e503f9..95c1e94 100644
> --- a/src/tcgbios.c
> +++ b/src/tcgbios.c
> @@ -481,8 +481,17 @@ tpm20_get_pcrbanks(void)
> if (ret)
> return ret;
>
> - u32 size = be32_to_cpu(trg->hdr.totlen) -
> - offsetof(struct tpm2_res_getcapability, data);
> + /* defend against (broken) TPM sending packets that are too short */
> + u32 resplen = be32_to_cpu(trg->hdr.totlen);
> + if (resplen <= offsetof(struct tpm2_res_getcapability, data))
> + return -1;
> +
> + u32 size = resplen - offsetof(struct tpm2_res_getcapability, data);
> + /* we need a valid tpml_pcr_selection up to and including sizeOfSelect */
> + if (size < offsetof(struct tpml_pcr_selection, selections) +
> + offsetof(struct tpms_pcr_selection, pcrSelect))
> + return -1;
> +
> tpm20_pcr_selection = malloc_high(size);
> if (tpm20_pcr_selection) {
> memcpy(tpm20_pcr_selection, &trg->data, size);
> --
> 2.20.1
> _______________________________________________
> SeaBIOS mailing list -- seabios@seabios.org
> To unsubscribe send an email to seabios-le...@seabios.org
--
Marc-André Lureau
_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-le...@seabios.org
