[tpmdd-devel] [PATCH] tpm2: fix off-by-one comparison and out-of-bounds read error

Colin King Mon, 20 Mar 2017 07:25:14 -0700

From: Colin Ian King <colin.k...@canonical.com>

The comparison of an out of range index into space->context_tbl is
off-by-one and should be using >= rather than > in the comparison.


Detected by CoverityScan, CID#1419694 ("Out-of-bounds read")

Fixes: 849246e7ce9ce ("tpm2: add session handle context saving and restoring to 
the space code")
Signed-off-by: Colin Ian King <colin.k...@canonical.com>
---
 drivers/char/tpm/tpm2-space.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c
index d36d81e07076..009934269514 100644
--- a/drivers/char/tpm/tpm2-space.c
+++ b/drivers/char/tpm/tpm2-space.c
@@ -229,7 +229,7 @@ static bool tpm2_map_to_phandle(struct tpm_space *space, 
void *handle)
        int i;
 
        i = 0xFFFFFF - (vhandle & 0xFFFFFF);
-       if (i > ARRAY_SIZE(space->context_tbl) || !space->context_tbl[i])
+       if (i >= ARRAY_SIZE(space->context_tbl) || !space->context_tbl[i])
                return false;
 
        phandle = space->context_tbl[i];
-- 
2.11.0


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
tpmdd-devel mailing list
tpmdd-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel

[tpmdd-devel] [PATCH] tpm2: fix off-by-one comparison and out-of-bounds read error

Reply via email to