Commit f9d4d9b5 authored by Jeremy Boone's avatar Jeremy Boone Committed by James Morris

tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus

Discrete TPMs are often connected over slow serial buses which, on
some platforms, can have glitches causing bit flips.  In all the
driver _recv() functions, we need to use a u32 to unmarshal the
response size, otherwise a bit flip of the 31st bit would cause the
expected variable to go negative, which would then try to read a huge
amount of data.  Also sanity check that the expected amount of data is
large enough for the TPM header.
Signed-off-by: default avatarJeremy Boone <jeremy.boone@nccgroup.trust>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarJames Bottomley <James.Bottomley@HansenPartnership.com>
Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
parent 6bb320ca
...@@ -281,7 +281,11 @@ static int i2c_nuvoton_recv(struct tpm_chip *chip, u8 *buf, size_t count) ...@@ -281,7 +281,11 @@ static int i2c_nuvoton_recv(struct tpm_chip *chip, u8 *buf, size_t count)
struct device *dev = chip->dev.parent; struct device *dev = chip->dev.parent;
struct i2c_client *client = to_i2c_client(dev); struct i2c_client *client = to_i2c_client(dev);
s32 rc; s32 rc;
int expected, status, burst_count, retries, size = 0; int status;
int burst_count;
int retries;
int size = 0;
u32 expected;
if (count < TPM_HEADER_SIZE) { if (count < TPM_HEADER_SIZE) {
i2c_nuvoton_ready(chip); /* return to idle */ i2c_nuvoton_ready(chip); /* return to idle */
...@@ -323,7 +327,7 @@ static int i2c_nuvoton_recv(struct tpm_chip *chip, u8 *buf, size_t count) ...@@ -323,7 +327,7 @@ static int i2c_nuvoton_recv(struct tpm_chip *chip, u8 *buf, size_t count)
* to machine native * to machine native
*/ */
expected = be32_to_cpu(*(__be32 *) (buf + 2)); expected = be32_to_cpu(*(__be32 *) (buf + 2));
if (expected > count) { if (expected > count || expected < size) {
dev_err(dev, "%s() expected > count\n", __func__); dev_err(dev, "%s() expected > count\n", __func__);
size = -EIO; size = -EIO;
continue; continue;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment