Re: [tpmdd-devel] [PATCH] tpm: check size of response before accessingdata

Thu, 05 Jan 2017 04:15:07 -0800 

Stefan Berger <[email protected]> wrote on 01/05/2017 07:11:24 
AM:

> 
> Check the size of the response before accesing data in
> the response packet. This is to avoid accessing data beyond
> the end of the response.

This patch applies on top of Jarkko's tabrm tree.
There are of course many more places where such checks should be done, if 
we agree that we want them to be done.

    Stefan

> 
> Signed-off-by: Stefan Berger <[email protected]>
> ---
>  drivers/char/tpm/tpm2-cmd.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index abaa355..98e591b 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -394,6 +394,10 @@ int tpm2_get_random(struct tpm_chip *chip, u8 
> *out, size_t max)
>     (sizeof(struct tpm_input_header) + \
>      sizeof(struct tpm2_get_tpm_pt_in))
> 
> +#define TPM2_GET_TPM_PT_OUT_SIZE \
> +   (sizeof(struct tpm_output_header) + \
> +    sizeof(struct tpm2_get_tpm_pt_out))
> +
>  static const struct tpm_input_header tpm2_get_tpm_pt_header = {
>     .tag = cpu_to_be16(TPM2_ST_NO_SESSIONS),
>     .length = cpu_to_be32(TPM2_GET_TPM_PT_IN_SIZE),
> @@ -713,6 +717,8 @@ ssize_t tpm2_get_tpm_pt(struct tpm_chip *chip, 
> u32 property_id,  u32 *value,
>     cmd.params.get_tpm_pt_in.property_cnt = cpu_to_be32(1);
> 
>     rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 0, desc);
> +   if (be32_to_cpu(cmd.header.out.length) < TPM2_GET_TPM_PT_OUT_SIZE)
> +      return -EFAULT;
>     if (!rc)
>        *value = be32_to_cpu(cmd.params.get_tpm_pt_out.value);
> 
> -- 
> 2.4.3
> 
> 
> 
------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most 
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> tpmdd-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
> 



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
tpmdd-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel

Reply via email to