From: Kees Cook <keescook@chromium.org>
To: Stefan Berger <stefanb@linux.ibm.com>
Cc: Peter Huewe <peterhuewe@gmx.de>,
Jarkko Sakkinen <jarkko@kernel.org>,
Jason Gunthorpe <jgg@ziepe.ca>,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH] tpm: vtpm_proxy: Avoid device-originated buffer overflow
Date: Tue, 18 Jan 2022 10:35:33 -0800 [thread overview]
Message-ID: <202201181035.2CF27A0262@keescook> (raw)
In-Reply-To: <4b59d305-6858-1514-751a-37853ad777be@linux.ibm.com>
On Thu, Jan 13, 2022 at 04:19:32PM -0500, Stefan Berger wrote:
> I just want to clarify this. In vtpm_proxy_tpm_op_send() we have the only
> place that sets req_len to a value larger than 0:
>
> static int vtpm_proxy_tpm_op_send(struct tpm_chip *chip, u8 *buf, size_t
> count)
> {
> struct proxy_dev *proxy_dev = dev_get_drvdata(&chip->dev);
>
> if (count > sizeof(proxy_dev->buffer)) {
> dev_err(&chip->dev,
> "Invalid size in send: count=%zd, buffer size=%zd\n",
> count, sizeof(proxy_dev->buffer));
> return -EIO;
> }
>
> [...]
>
> proxy_dev->req_len = count;
> memcpy(proxy_dev->buffer, buf, count);
>
> [...]
>
> }
>
>
> The above makes sure that we cannot copy more bytes into the
> proxy_dev->buffer than the what the buffer has bytes for.
>
> It then sets req_len to a valid value that is less or equal to the buffer
> size.
>
> Considering this your check above seems to only be there to make the
> compiler happy but otherwise I don't see that this is a real problem with a
> buffer overflow?!
>
> Nevertheless, let all those compilers be happy:
>
> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Ah yes, thanks! I'll reword the commit log for v2. :)
--
Kees Cook
prev parent reply other threads:[~2022-01-18 18:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-13 0:27 [PATCH] tpm: vtpm_proxy: Avoid device-originated buffer overflow Kees Cook
2022-01-13 21:19 ` Stefan Berger
2022-01-18 18:35 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202201181035.2CF27A0262@keescook \
--to=keescook@chromium.org \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peterhuewe@gmx.de \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.