From patchwork Tue Jan 10 14:18:15 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 9507597 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 01F8C6075C for ; Tue, 10 Jan 2017 14:18:57 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EA5E328573 for ; Tue, 10 Jan 2017 14:18:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DF07028577; Tue, 10 Jan 2017 14:18:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 80A4C28570 for ; Tue, 10 Jan 2017 14:18:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1032989AbdAJOSs (ORCPT ); Tue, 10 Jan 2017 09:18:48 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:45139 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1033097AbdAJOSq (ORCPT ); Tue, 10 Jan 2017 09:18:46 -0500 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id v0AEE5BC078009 for ; Tue, 10 Jan 2017 09:18:46 -0500 Received: from e36.co.us.ibm.com (e36.co.us.ibm.com [32.97.110.154]) by mx0a-001b2d01.pphosted.com with ESMTP id 27vw1b37u7-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Tue, 10 Jan 2017 09:18:46 -0500 Received: from localhost by e36.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 10 Jan 2017 07:18:45 -0700 Received: from d03dlp01.boulder.ibm.com (9.17.202.177) by e36.co.us.ibm.com (192.168.1.136) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Tue, 10 Jan 2017 07:18:42 -0700 Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 87A8C1FF0026; Tue, 10 Jan 2017 07:18:20 -0700 (MST) Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v0AEIfiH15335752; Tue, 10 Jan 2017 07:18:41 -0700 Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A0A916A03C; Tue, 10 Jan 2017 07:18:41 -0700 (MST) Received: from sbct-3.watson.ibm.com (unknown [9.2.141.158]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP id 4CF676A041; Tue, 10 Jan 2017 07:18:41 -0700 (MST) From: Stefan Berger To: tpmdd-devel@lists.sourceforge.net Cc: linux-security-module@vger.kernel.org, jarkko.sakkinen@linux.intel.com, Stefan Berger Subject: [PATCH 05/10] tpm: tpm2_seal_trusted: check size of response before accessing data Date: Tue, 10 Jan 2017 09:18:15 -0500 X-Mailer: git-send-email 2.5.5 In-Reply-To: <1484057900-17871-1-git-send-email-stefanb@linux.vnet.ibm.com> References: <1484057900-17871-1-git-send-email-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17011014-0020-0000-0000-00000AB1904A X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006408; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000199; SDB=6.00805683; UDB=6.00391989; IPR=6.00583019; BA=6.00005042; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00013877; XFM=3.00000011; UTC=2017-01-10 14:18:43 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17011014-0021-0000-0000-000058BE137F Message-Id: <1484057900-17871-5-git-send-email-stefanb@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-01-10_12:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1701100209 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Check the size of the response before accessing data in the response packet. This is to avoid accessing data beyond the end of the response. Signed-off-by: Stefan Berger --- drivers/char/tpm/tpm2-cmd.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 1e704a1..57bb774 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -464,7 +464,7 @@ int tpm2_seal_trusted(struct tpm_chip *chip, { unsigned int blob_len; struct tpm_buf buf; - u32 hash; + u32 hash, rlength; int i; int rc; @@ -533,11 +533,21 @@ int tpm2_seal_trusted(struct tpm_chip *chip, if (rc) goto out; + rlength = be32_to_cpu(((struct tpm2_cmd*)&buf)->header.out.length); + if (rlength < TPM_HEADER_SIZE + 4) { + rc = -EFAULT; + goto out; + } + blob_len = be32_to_cpup((__be32 *) &buf.data[TPM_HEADER_SIZE]); if (blob_len > MAX_BLOB_SIZE) { rc = -E2BIG; goto out; } + if (rlength < TPM_HEADER_SIZE + 4 + blob_len) { + rc = -EFAULT; + goto out; + } memcpy(payload->blob, &buf.data[TPM_HEADER_SIZE + 4], blob_len); payload->blob_len = blob_len;