On Thu, Jan 05, 2017 at 07:11:24AM -0500, Stefan Berger wrote:
> Check the size of the response before accesing data in
> the response packet. This is to avoid accessing data beyond
> the end of the response.
>
> Signed-off-by: Stefan Berger <[email protected]>
How on earth this could happen if we request only one property?
/Jarkko
> ---
> drivers/char/tpm/tpm2-cmd.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index abaa355..98e591b 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -394,6 +394,10 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *out,
> size_t max)
> (sizeof(struct tpm_input_header) + \
> sizeof(struct tpm2_get_tpm_pt_in))
>
> +#define TPM2_GET_TPM_PT_OUT_SIZE \
> + (sizeof(struct tpm_output_header) + \
> + sizeof(struct tpm2_get_tpm_pt_out))
> +
> static const struct tpm_input_header tpm2_get_tpm_pt_header = {
> .tag = cpu_to_be16(TPM2_ST_NO_SESSIONS),
> .length = cpu_to_be32(TPM2_GET_TPM_PT_IN_SIZE),
> @@ -713,6 +717,8 @@ ssize_t tpm2_get_tpm_pt(struct tpm_chip *chip, u32
> property_id, u32 *value,
> cmd.params.get_tpm_pt_in.property_cnt = cpu_to_be32(1);
>
> rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 0, desc);
> + if (be32_to_cpu(cmd.header.out.length) < TPM2_GET_TPM_PT_OUT_SIZE)
> + return -EFAULT;
> if (!rc)
> *value = be32_to_cpu(cmd.params.get_tpm_pt_out.value);
>
> --
> 2.4.3
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
tpmdd-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
