From patchwork Mon Sep  4 17:36:42 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Steffen <Alexander.Steffen@infineon.com>
X-Patchwork-Id: 9937477
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	0FA40601EB
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon,  4 Sep 2017 17:37:07 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F2DCA287B8
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon,  4 Sep 2017 17:37:06 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E6F79287E8; Mon,  4 Sep 2017 17:37:06 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9E18F287B8
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon,  4 Sep 2017 17:37:06 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753945AbdIDRgx (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Mon, 4 Sep 2017 13:36:53 -0400
Received: from smtp11.infineon.com ([217.10.52.105]:35785 "EHLO
	smtp11.infineon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753892AbdIDRgv (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Mon, 4 Sep 2017 13:36:51 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=infineon.com; i=@infineon.com; q=dns/txt; s=IFXMAIL;
	t=1504546612; x=1536082612;
	h=from:to:cc:subject:date:message-id:mime-version;
	bh=waFtg0ZTqRVUeEsYg7pM6BF5GCb+1aUIeMNFHh0Ov9Q=;
	b=WPIYQDX74hpcTAydFq0KDYaEFw0cm/ezl9jmLBuW2PvBxOB9N+ckqAaD
	db2GsFF6B1mhY1e09BSLQm4fjNvhNwda8HxzP6IIv+FGTCkkphG1GRv0P
	xa805VehJBfT1Vsliheyb2Z1gqxSOSIRD5b59DLmUqyAhoDljfCxB4uEv 8=;
X-SBRS: None
Received: from unknown (HELO mucxv001.muc.infineon.com) ([172.23.11.16])
	by smtp11.infineon.com with ESMTP/TLS/AES256-GCM-SHA384;
	04 Sep 2017 19:36:51 +0200
Received: from MUCSE605.infineon.com (mucse605.infineon.com [172.23.7.106])
	by mucxv001.muc.infineon.com (Postfix) with ESMTPS;
	Mon,  4 Sep 2017 19:36:50 +0200 (CEST)
Received: from MUCSE603.infineon.com (172.23.7.104) by MUCSE605.infineon.com
	(172.23.7.106) with Microsoft SMTP Server (TLS) id 15.0.1263.5;
	Mon, 4 Sep 2017 19:36:50 +0200
Received: from ABGN5CG4522MQD.eu.infineon.com (172.29.170.94) by
	MUCSE603.infineon.com (172.23.7.104) with Microsoft SMTP Server (TLS)
	id 15.0.1263.5; Mon, 4 Sep 2017 19:36:50 +0200
From: Alexander Steffen <Alexander.Steffen@infineon.com>
To: <jarkko.sakkinen@linux.intel.com>, <tpmdd-devel@lists.sourceforge.net>
CC: <linux-kernel@vger.kernel.org>, <linux-security-module@vger.kernel.org>,
	Alexander Steffen <Alexander.Steffen@infineon.com>,
	<stable@vger.kernel.org>
Subject: [PATCH v2] tpm-dev-common: Reject too short writes
Date: Mon, 4 Sep 2017 19:36:42 +0200
Message-ID: <20170904173642.5988-1-Alexander.Steffen@infineon.com>
X-Mailer: git-send-email 2.11.1.windows.1
MIME-Version: 1.0
X-Originating-IP: [172.29.170.94]
X-ClientProxiedBy: MUCSE601.infineon.com (172.23.7.102) To
	MUCSE603.infineon.com (172.23.7.104)
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

tpm_transmit() does not offer an explicit interface to indicate the number
of valid bytes in the communication buffer. Instead, it relies on the
commandSize field in the TPM header that is encoded within the buffer.
Therefore, ensure that a) enough data has been written to the buffer, so
that the commandSize field is present and b) the commandSize field does not
announce more data than has been written to the buffer.

This should have been fixed with CVE-2011-1161 long ago, but apparently
a correct version of that patch never made it into the kernel.

Cc: stable@vger.kernel.org
Signed-off-by: Alexander Steffen <Alexander.Steffen@infineon.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
v2:
- Moved all changes to tpm_common_write in a single patch.

 drivers/char/tpm/tpm-dev-common.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c
index 610638a..ac25574 100644
--- a/drivers/char/tpm/tpm-dev-common.c
+++ b/drivers/char/tpm/tpm-dev-common.c
@@ -99,7 +99,8 @@ ssize_t tpm_common_write(struct file *file, const char __user *buf,
 	if (atomic_read(&priv->data_pending) != 0)
 		return -EBUSY;
 
-	if (in_size > TPM_BUFSIZE)
+	if (in_size > sizeof(priv->data_buffer) || in_size < 6 ||
+	    in_size < be32_to_cpu(*((__be32 *) (buf + 2))))
 		return -E2BIG;
 
 	mutex_lock(&priv->buffer_mutex);