summaryrefslogtreecommitdiffstats
path: root/drivers/char/tpm/tpm2-cmd.c
diff options
context:
space:
mode:
authorJeremy Boone <jeremy.boone@nccgroup.trust>2018-02-08 12:28:08 -0800
committerJames Morris <james.morris@microsoft.com>2018-02-26 15:43:46 -0800
commit3be23274755ee85771270a23af7691dc9b3a95db (patch)
tree5ab99a5a989b5e83010043345c2ed28f3fd760dc /drivers/char/tpm/tpm2-cmd.c
parent6d24cd186d9fead3722108dec1b1c993354645ff (diff)
downloadlinux-3be23274755ee85771270a23af7691dc9b3a95db.tar.gz
linux-3be23274755ee85771270a23af7691dc9b3a95db.tar.bz2
linux-3be23274755ee85771270a23af7691dc9b3a95db.zip
tpm: fix potential buffer overruns caused by bit glitches on the bus
Discrete TPMs are often connected over slow serial buses which, on some platforms, can have glitches causing bit flips. If a bit does flip it could cause an overrun if it's in one of the size parameters, so sanity check that we're not overrunning the provided buffer when doing a memcpy(). Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust> Cc: stable@vger.kernel.org Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: James Morris <james.morris@microsoft.com>
Diffstat (limited to 'drivers/char/tpm/tpm2-cmd.c')
-rw-r--r--drivers/char/tpm/tpm2-cmd.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index c17e75348a99..a700f8f9ead7 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -683,6 +683,10 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
if (!rc) {
data_len = be16_to_cpup(
(__be16 *) &buf.data[TPM_HEADER_SIZE + 4]);
+ if (data_len < MIN_KEY_SIZE || data_len > MAX_KEY_SIZE + 1) {
+ rc = -EFAULT;
+ goto out;
+ }
rlength = be32_to_cpu(((struct tpm2_cmd *)&buf)
->header.out.length);