From patchwork Wed Oct 26 16:33:41 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josh Zimmerman X-Patchwork-Id: 9397651 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C1F4160231 for ; Wed, 26 Oct 2016 16:33:55 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D168629C5F for ; Wed, 26 Oct 2016 16:33:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C526729C63; Wed, 26 Oct 2016 16:33:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.sourceforge.net (lists.sourceforge.net [216.34.181.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 3C34229C5F for ; Wed, 26 Oct 2016 16:33:54 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=sfs-ml-1.v29.ch3.sourceforge.com) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1bzR9D-0001qK-H7; Wed, 26 Oct 2016 16:33:51 +0000 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1bzR9C-0001qF-S5 for tpmdd-devel@lists.sourceforge.net; Wed, 26 Oct 2016 16:33:50 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of google.com designates 209.85.192.182 as permitted sender) client-ip=209.85.192.182; envelope-from=joshz@google.com; helo=mail-pf0-f182.google.com; Received: from mail-pf0-f182.google.com ([209.85.192.182]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.76) id 1bzR9C-0006hE-1c for tpmdd-devel@lists.sourceforge.net; Wed, 26 Oct 2016 16:33:50 +0000 Received: by mail-pf0-f182.google.com with SMTP id s8so142342283pfj.2 for ; Wed, 26 Oct 2016 09:33:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:user-agent; bh=5YmvLKg0I6+iJ6VHG+QDG79cLV8WgnCSu4pvypSGeV0=; b=U92bS/+ggEfyRkzMiBVwvNwaJRBbJPfVHNTvkYvAGidcKUmTMnNyp7FZv/rSclZQYJ JUztpwt4RE/5Oum9XmyfeXPN9ykXc85DmfsuBXOKHVktDpmJdNVZbF/xIrJ5I3TYnS92 HD0q9dr8TNtv2wdt0u66Zr7Q6FGHI1BzaEvXCFKaIdgUjtg6PbQOU/9CnYsuJbT3JYjA G0tfgL+/j6+UZB+lr3QkDkZwel6iuyAnpknMj8s8DK2qqCyNpz6noxzYpmbPNYNaS1T1 RcdriEx3w+aKWQQG0ykfLS9BU5IGVllRKu1VzCNuUGYpGuq8A6d/1BCFyKjB9lfk0o6T 0sew== X-Gm-Message-State: ABUngvf5b76+Fc8wm3nlV/Z1uIbZUYQwnTHb9hjw51IQ5xJ360jtwDd54eVzeLQJX5k8/pmj X-Received: by 10.98.211.24 with SMTP id q24mr5689262pfg.69.1477499624075; Wed, 26 Oct 2016 09:33:44 -0700 (PDT) Received: from google.com ([2620:0:1008:13:f50e:c402:564c:639f]) by smtp.gmail.com with ESMTPSA id qy2sm5407272pab.27.2016.10.26.09.33.43 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Wed, 26 Oct 2016 09:33:43 -0700 (PDT) Date: Wed, 26 Oct 2016 09:33:41 -0700 From: Josh Zimmerman To: Peter Huewe , Marcel Selhorst , Jarkko Sakkinen , Jason Gunthorpe , tpmdd-devel@lists.sourceforge.net Message-ID: <20161026163341.GA19855@google.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Headers-End: 1bzR9C-0006hE-1c Subject: [tpmdd-devel] [PATCH v3] tpm_tis: Check return values from get_burstcount. X-BeenThere: tpmdd-devel@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Tpm Device Driver maintainance List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tpmdd-devel-bounces@lists.sourceforge.net X-Virus-Scanned: ClamAV using ClamSMTP If the TPM we're connecting to uses a static burst count, it will report a burst count of zero throughout the response read. However, get_burstcount assumes that a response of zero indicates that the TPM is not ready to receive more data. In this case, it returns a negative error code, which is passed on to tpm_tis_{write,read}_bytes as a u16, causing them to read/write far too many bytes. This patch checks for negative return codes and bails out from recv_data and tpm_tis_send_data. Fixes: 1107d065fdf1 Signed-off-by: Josh Zimmerman --- Changelog v3: - Add signed-off-by. Changelog v2: - Fix typo (rc->burstcnt) --- drivers/char/tpm/tpm_tis_core.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c index e3bf31b..aed92b3 100644 --- a/drivers/char/tpm/tpm_tis_core.c +++ b/drivers/char/tpm/tpm_tis_core.c @@ -186,6 +186,12 @@ static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count) chip->timeout_c, &priv->read_queue, true) == 0) { burstcnt = min_t(int, get_burstcount(chip), count - size); + if (burstcnt < 0) { + dev_err(&chip->dev, + "Unable to read burstcount in %s:%d (%s)\n", + __FILE__, __LINE__, __func__); + return burstcnt; + } rc = tpm_tis_read_bytes(priv, TPM_DATA_FIFO(priv->locality), burstcnt, buf + size); @@ -272,6 +278,13 @@ static int tpm_tis_send_data(struct tpm_chip *chip, u8 *buf, size_t len) while (count < len - 1) { burstcnt = min_t(int, get_burstcount(chip), len - count - 1); + if (burstcnt < 0) { + dev_err(&chip->dev, + "Unable to read burstcount in %s:%d (%s)\n", + __FILE__, __LINE__, __func__); + rc = burstcnt; + goto out_err; + } rc = tpm_tis_write_bytes(priv, TPM_DATA_FIFO(priv->locality), burstcnt, buf + count); if (rc < 0)