From patchwork Fri Sep 8 15:21:32 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Steffen X-Patchwork-Id: 9944481 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 360BA604D4 for ; Fri, 8 Sep 2017 15:22:41 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3468628767 for ; Fri, 8 Sep 2017 15:22:41 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 293BA287E8; Fri, 8 Sep 2017 15:22:41 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A2AC928767 for ; Fri, 8 Sep 2017 15:22:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754731AbdIHPWj (ORCPT ); Fri, 8 Sep 2017 11:22:39 -0400 Received: from smtp2.infineon.com ([217.10.52.18]:28740 "EHLO smtp2.infineon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754397AbdIHPWi (ORCPT ); Fri, 8 Sep 2017 11:22:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infineon.com; i=@infineon.com; q=dns/txt; s=IFXMAIL; t=1504884158; x=1536420158; h=from:to:cc:subject:date:message-id:mime-version; bh=AifLPsXKz45hDM5ojmdtLflzsPMxjMeReZpwJ7ZIiFs=; b=CUgSxVi0C9/T5pzYj9kk21BrC1uQTXMGHl1jm39WHOPwjT7MDU4uL943 rXdC57xjWjlj+3byBvpRNJQhum4ft7q5VZqv+9M2bWtzyNyTs8rmDZm4y g28DGi8zjmC9BvkEpoPZvDKS2JDBKB4dy1Bf8PR1A7o7qt7RDGV4ZFS37 k=; X-SBRS: None Received: from unknown (HELO mucxv001.muc.infineon.com) ([172.23.11.16]) by smtp2.infineon.com with ESMTP/TLS/AES256-GCM-SHA384; 08 Sep 2017 17:22:36 +0200 Received: from MUCSE606.infineon.com (mucse606.infineon.com [172.23.7.107]) by mucxv001.muc.infineon.com (Postfix) with ESMTPS; Fri, 8 Sep 2017 17:22:36 +0200 (CEST) Received: from MUCSE603.infineon.com (172.23.7.104) by MUCSE606.infineon.com (172.23.7.107) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 8 Sep 2017 17:22:36 +0200 Received: from ABGN5CG4522MQD.eu.infineon.com (172.29.170.94) by MUCSE603.infineon.com (172.23.7.104) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 8 Sep 2017 17:22:35 +0200 From: Alexander Steffen To: , CC: , , Alexander Steffen , Subject: [PATCH v3] tpm-dev-common: Reject too short writes Date: Fri, 8 Sep 2017 17:21:32 +0200 Message-ID: <20170908152132.8728-1-Alexander.Steffen@infineon.com> X-Mailer: git-send-email 2.11.1.windows.1 MIME-Version: 1.0 X-Originating-IP: [172.29.170.94] X-ClientProxiedBy: MUCSE601.infineon.com (172.23.7.102) To MUCSE603.infineon.com (172.23.7.104) Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP tpm_transmit() does not offer an explicit interface to indicate the number of valid bytes in the communication buffer. Instead, it relies on the commandSize field in the TPM header that is encoded within the buffer. Therefore, ensure that a) enough data has been written to the buffer, so that the commandSize field is present and b) the commandSize field does not announce more data than has been written to the buffer. This should have been fixed with CVE-2011-1161 long ago, but apparently a correct version of that patch never made it into the kernel. Cc: stable@vger.kernel.org Signed-off-by: Alexander Steffen Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen --- v2: - Moved all changes to tpm_common_write in a single patch. v3: - Access data copied from user space (priv->data_buffer) instead of user space data directly (buf). - Changed return code to EINVAL. drivers/char/tpm/tpm-dev-common.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c index 610638a..461bf0b 100644 --- a/drivers/char/tpm/tpm-dev-common.c +++ b/drivers/char/tpm/tpm-dev-common.c @@ -110,6 +110,12 @@ ssize_t tpm_common_write(struct file *file, const char __user *buf, return -EFAULT; } + if (in_size < 6 || + in_size < be32_to_cpu(*((__be32 *) (priv->data_buffer + 2)))) { + mutex_unlock(&priv->buffer_mutex); + return -EINVAL; + } + /* atomic tpm command send and result receive. We only hold the ops * lock during this period so that the tpm can be unregistered even if * the char dev is held open.