From patchwork Tue Jan 10 14:18:14 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 9507599 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 153CE60762 for ; Tue, 10 Jan 2017 14:18:57 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 09CC62856B for ; Tue, 10 Jan 2017 14:18:57 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F228328576; Tue, 10 Jan 2017 14:18:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A1BC52856B for ; Tue, 10 Jan 2017 14:18:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1033041AbdAJOSv (ORCPT ); Tue, 10 Jan 2017 09:18:51 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:46891 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1033101AbdAJOSt (ORCPT ); Tue, 10 Jan 2017 09:18:49 -0500 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id v0AEEGhD035742 for ; Tue, 10 Jan 2017 09:18:43 -0500 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0b-001b2d01.pphosted.com with ESMTP id 27vcdnyr74-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Tue, 10 Jan 2017 09:18:43 -0500 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 10 Jan 2017 07:18:42 -0700 Received: from d03dlp02.boulder.ibm.com (9.17.202.178) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Tue, 10 Jan 2017 07:18:40 -0700 Received: from b03cxnp07028.gho.boulder.ibm.com (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15]) by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id 583103E40048; Tue, 10 Jan 2017 07:18:40 -0700 (MST) Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v0AEIMYb12386678; Tue, 10 Jan 2017 07:18:40 -0700 Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3493C6A04C; Tue, 10 Jan 2017 07:18:40 -0700 (MST) Received: from sbct-3.watson.ibm.com (unknown [9.2.141.158]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP id D55EF6A03B; Tue, 10 Jan 2017 07:18:39 -0700 (MST) From: Stefan Berger To: tpmdd-devel@lists.sourceforge.net Cc: linux-security-module@vger.kernel.org, jarkko.sakkinen@linux.intel.com, Stefan Berger Subject: [PATCH 04/10] tpm: tpm2_get_random: check size of response before accessing data Date: Tue, 10 Jan 2017 09:18:14 -0500 X-Mailer: git-send-email 2.5.5 In-Reply-To: <1484057900-17871-1-git-send-email-stefanb@linux.vnet.ibm.com> References: <1484057900-17871-1-git-send-email-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17011014-0012-0000-0000-000012E9B78E X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006408; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000199; SDB=6.00805683; UDB=6.00391989; IPR=6.00583019; BA=6.00005042; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00013877; XFM=3.00000011; UTC=2017-01-10 14:18:41 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17011014-0013-0000-0000-000049FDC384 Message-Id: <1484057900-17871-4-git-send-email-stefanb@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-01-10_12:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1701100209 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Check the size of the response before accessing data in the response packet. This is to avoid accessing data beyond the end of the response. Signed-off-by: Stefan Berger --- drivers/char/tpm/tpm2-cmd.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index e3f760c..1e704a1 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -363,7 +363,7 @@ static const struct tpm_input_header tpm2_getrandom_header = { int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max) { struct tpm2_cmd cmd; - u32 recd; + u32 recd, rlength; u32 num_bytes; int err; int total = 0; @@ -385,8 +385,16 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max) if (err) break; + rlength = be32_to_cpu(cmd.header.out.length); + if (rlength < offsetof(struct tpm2_cmd, + params.getrandom_out.buffer)) + return -EFAULT; + recd = min_t(u32, be16_to_cpu(cmd.params.getrandom_out.size), num_bytes); + if (rlength < offsetof(struct tpm2_cmd, + params.getrandom_out.buffer) + recd) + return -EFAULT; memcpy(dest, cmd.params.getrandom_out.buffer, recd); dest += recd;