From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Gunthorpe Subject: Re: [PATCH] tpm: check size of response before accessing data Date: Mon, 9 Jan 2017 09:15:25 -0700 Message-ID: <20170109161525.GA13903@obsidianresearch.com> References: <1483618284-3470-1-git-send-email-stefanb@linux.vnet.ibm.com> <20170109160538.gwvksj253wl2v5oy@intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <20170109160538.gwvksj253wl2v5oy-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tpmdd-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org To: Jarkko Sakkinen Cc: linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org List-Id: tpmdd-devel@lists.sourceforge.net On Mon, Jan 09, 2017 at 06:05:38PM +0200, Jarkko Sakkinen wrote: > On Thu, Jan 05, 2017 at 07:11:24AM -0500, Stefan Berger wrote: > > Check the size of the response before accesing data in > > the response packet. This is to avoid accessing data beyond > > the end of the response. > > > > Signed-off-by: Stefan Berger > > How on earth this could happen if we request only one property? His (software) TPM is broken. Now that we have the vtpm stuff it is super-critical that the kernel unmarshal path be bomb proof - it needs to treat the TPM itself as a hostile entity. You should look at all of it and make sure the proper bounds checks are done, multiples can't overflow, and so forth. Jason ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot