From patchwork Thu Oct 27 21:50:09 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josh Zimmerman X-Patchwork-Id: 9400539 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 1EEE760588 for ; Thu, 27 Oct 2016 21:50:25 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 080A42A3BB for ; Thu, 27 Oct 2016 21:50:25 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F0E5D2A3E3; Thu, 27 Oct 2016 21:50:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.sourceforge.net (lists.sourceforge.net [216.34.181.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id E347C2A3BB for ; Thu, 27 Oct 2016 21:50:23 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=sfs-ml-3.v29.ch3.sourceforge.com) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1bzsZ1-0000uX-VD; Thu, 27 Oct 2016 21:50:19 +0000 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1bzsZ0-0000uG-QC for tpmdd-devel@lists.sourceforge.net; Thu, 27 Oct 2016 21:50:18 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of google.com designates 209.85.192.169 as permitted sender) client-ip=209.85.192.169; envelope-from=joshz@google.com; helo=mail-pf0-f169.google.com; Received: from mail-pf0-f169.google.com ([209.85.192.169]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.76) id 1bzsYz-0008Pr-Vn for tpmdd-devel@lists.sourceforge.net; Thu, 27 Oct 2016 21:50:18 +0000 Received: by mail-pf0-f169.google.com with SMTP id 197so24660632pfu.0 for ; Thu, 27 Oct 2016 14:50:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:user-agent; bh=WvWwli09XuZUa7ftpwEsHfrUD5H3GjP9CRMIjIZ6Iug=; b=Vqa2nZYd0Xb5RPNM8hCcwVmDzhyGzHh3wBumeILrqklZ00AQ3F5qHKJUrqMSZKURQs t+dK2asDxO568Iw/5iYnlUvBG8Dfop5g3+2w8EQsp0zYxIl3eLBXiBkeuWC9up7n3WwC ELRiegTnBVGUGhUR00brEkX6M63C9lkUeUIsNbQgmmfjGB4H7LDBM/ec5ZrQvMxtnE+D pCprgW6OPiG+vMEbMDyIDHRPLWX2+qNMYRsM2IeXhxbalOAmX4LRS1Q/zPk2Pa/kr0Lx KludyB38jg9VeA8c5YW39vdPsCanpgYMQMy6sySTiI8Act2IBRaTy/ZmyImQwTXrrUcP PcEg== X-Gm-Message-State: ABUngvcqgEqgyovtX4vRQo7T2Ixxon1Hh4a34ahj80InhK0qN99rSdXyofu/bbT23DAukpWi X-Received: by 10.98.70.29 with SMTP id t29mr18620902pfa.185.1477605012050; Thu, 27 Oct 2016 14:50:12 -0700 (PDT) Received: from google.com ([2620:0:1008:13:89b3:582:99cd:955d]) by smtp.gmail.com with ESMTPSA id m188sm13908972pfc.40.2016.10.27.14.50.11 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Thu, 27 Oct 2016 14:50:11 -0700 (PDT) Date: Thu, 27 Oct 2016 14:50:09 -0700 From: Josh Zimmerman To: Peter Huewe , Marcel Selhorst , Jarkko Sakkinen , Jason Gunthorpe , tpmdd-devel@lists.sourceforge.net Message-ID: <20161027215009.GA12733@google.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Headers-End: 1bzsYz-0008Pr-Vn Subject: [tpmdd-devel] [PATCH v5] tpm_tis: Check return values from get_burstcount. X-BeenThere: tpmdd-devel@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Tpm Device Driver maintainance List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tpmdd-devel-bounces@lists.sourceforge.net X-Virus-Scanned: ClamAV using ClamSMTP If the TPM we're connecting to uses a static burst count, it will report a burst count of zero throughout the response read. However, get_burstcount assumes that a response of zero indicates that the TPM is not ready to receive more data. In this case, it returns a negative error code, which is passed on to tpm_tis_{write,read}_bytes as a u16, causing them to read/write far too many bytes. This patch checks for negative return codes and bails out from recv_data and tpm_tis_send_data. Fixes: 1107d065fdf1 (tpm_tis: Introduce intermediate layer for TPM access) Signed-off-by: Josh Zimmerman Reviewed-by: Jarkko Sakkinen --- Changelog v5: - Move burstcnt < 0 check to before the min_t() call for enhanced readability. Changelog v4: - Add short description to Fixes tag line. - Remove some unnecessary information in dev_err statements. Changelog v3: - Add signed-off-by. Changelog v2: - Fix typo (rc->burstcnt) --- drivers/char/tpm/tpm_tis_core.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c index e3bf31b..a1ce060 100644 --- a/drivers/char/tpm/tpm_tis_core.c +++ b/drivers/char/tpm/tpm_tis_core.c @@ -185,7 +185,12 @@ static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count) TPM_STS_DATA_AVAIL | TPM_STS_VALID, chip->timeout_c, &priv->read_queue, true) == 0) { - burstcnt = min_t(int, get_burstcount(chip), count - size); + burstcnt = get_burstcount(chip); + if (burstcnt < 0) { + dev_err(&chip->dev, "Unable to read burstcount\n"); + return burstcnt; + } + burstcnt = min_t(int, burstcnt, count - size); rc = tpm_tis_read_bytes(priv, TPM_DATA_FIFO(priv->locality), burstcnt, buf + size); @@ -271,7 +276,13 @@ static int tpm_tis_send_data(struct tpm_chip *chip, u8 *buf, size_t len) } while (count < len - 1) { - burstcnt = min_t(int, get_burstcount(chip), len - count - 1); + burstcnt = get_burstcount(chip); + if (burstcnt < 0) { + dev_err(&chip->dev, "Unable to read burstcount\n"); + rc = burstcnt; + goto out_err; + } + burstcnt = min_t(int, burstcnt, len - count - 1); rc = tpm_tis_write_bytes(priv, TPM_DATA_FIFO(priv->locality), burstcnt, buf + count); if (rc < 0)