[01/10] tpm: Check received number of bytes against length indicator in header
diff mbox

Message ID 1484057900-17871-1-git-send-email-stefanb@linux.vnet.ibm.com
State New
Headers show

Commit Message

Stefan Berger Jan. 10, 2017, 2:18 p.m. UTC
Make sure that we have not received less bytes than what is indicated
in the header of the TPM response.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
---
 drivers/char/tpm/tpm-interface.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Jason Gunthorpe Jan. 10, 2017, 4:15 p.m. UTC | #1
On Tue, Jan 10, 2017 at 09:18:11AM -0500, Stefan Berger wrote:
> Make sure that we have not received less bytes than what is indicated
> in the header of the TPM response.

IMHO this entire series should be tagged for stable, can you please
add a Cc: and Fixes:

Thanks,
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Stefan Berger Jan. 10, 2017, 7:59 p.m. UTC | #2
On 01/10/2017 11:15 AM, Jason Gunthorpe wrote:
> On Tue, Jan 10, 2017 at 09:18:11AM -0500, Stefan Berger wrote:
>> Make sure that we have not received less bytes than what is indicated
>> in the header of the TPM response.
> IMHO this entire series should be tagged for stable, can you please
> add a Cc: and Fixes:

I don't have a way to test all the commands to make sure whether one is 
now failing. Several ones for TPM 1.2 are reachable via sysfs, but not 
so easy for TPM2. So I would suggest to try it out first, then propagate 
it into stable after some time.

     Stefan

>
> Thanks,
> Jason
>

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Jarkko Sakkinen Jan. 12, 2017, 2:45 p.m. UTC | #3
On Tue, Jan 10, 2017 at 09:18:11AM -0500, Stefan Berger wrote:
> Make sure that we have not received less bytes than what is indicated
> in the header of the TPM response.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>

NAK for the whole patch set as it is missing the cover letter.

Also you should pick my validation patch to this patch set and do the
check inside the new function.

/Jarkko

> ---
>  drivers/char/tpm/tpm-interface.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
> index fecdd3f..9d6f894 100644
> --- a/drivers/char/tpm/tpm-interface.c
> +++ b/drivers/char/tpm/tpm-interface.c
> @@ -446,6 +446,8 @@ ssize_t tpm_transmit_cmd(struct tpm_chip *chip, const void *cmd,
>  		return -EFAULT;
>  
>  	header = cmd;
> +	if (len < be32_to_cpu(header->length))
> +		return -EFAULT;
>  
>  	err = be32_to_cpu(header->return_code);
>  	if (err != 0 && desc)
> -- 
> 2.4.3
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch
diff mbox

diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index fecdd3f..9d6f894 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -446,6 +446,8 @@  ssize_t tpm_transmit_cmd(struct tpm_chip *chip, const void *cmd,
 		return -EFAULT;
 
 	header = cmd;
+	if (len < be32_to_cpu(header->length))
+		return -EFAULT;
 
 	err = be32_to_cpu(header->return_code);
 	if (err != 0 && desc)