On 01/09/2017 11:05 AM, Jarkko Sakkinen wrote: > On Thu, Jan 05, 2017 at 07:11:24AM -0500, Stefan Berger wrote: >> Check the size of the response before accesing data in >> the response packet. This is to avoid accessing data beyond >> the end of the response. >> >> Signed-off-by: Stefan Berger <[email protected]> > How on earth this could happen if we request only one property?
My test program vtpmctrl ( https://github.com/stefanberger/linux-vtpm-tests ) didn't feed the kernel a proper response to a TPM command and that's why this code blew up. We do have a very basic check in the driver and otherwise assume that the TPM is a trusted device responding with an expected response. http://lxr.free-electrons.com/source/drivers/char/tpm/tpm-interface.c#L417 414 len = tpm_transmit(chip, (const u8 *)cmd, len, flags); 415 if (len < 0) 416 return len; 417 else if (len < TPM_HEADER_SIZE) 418 return -EFAULT; Now should we expand on this check or just assume the device is flawless? This particular check above should probably check whether the len is also what the len in the packet indicates. Stefan ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ tpmdd-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
