From: Jarkko Sakkinen <jarkko@kernel.org>
To: stable@vger.kernel.org
Cc: linux-integrity@vger.kernel.org, Jonathan McDowell <noodles@meta.com>
Subject: Re: [PATCH] tpm2-sessions: Fix out of range indexing in name_size
Date: Thu, 8 Jan 2026 14:33:19 +0200 [thread overview]
Message-ID: <aV-kD5iKi9fwluU0@kernel.org> (raw)
In-Reply-To: <20260108123159.1008858-1-jarkko@kernel.org>
On Thu, Jan 08, 2026 at 02:31:59PM +0200, Jarkko Sakkinen wrote:
> [ Upstream commit 6e9722e9a7bfe1bbad649937c811076acf86e1fd ]
>
> 'name_size' does not have any range checks, and it just directly indexes
> with TPM_ALG_ID, which could lead into memory corruption at worst.
>
> Address the issue by only processing known values and returning -EINVAL for
> unrecognized values.
>
> Make also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so
> that errors are detected before causing any spurious TPM traffic.
>
> End also the authorization session on failure in both of the functions, as
> the session state would be then by definition corrupted.
>
> Cc: stable@vger.kernel.org # v6.10+
> Fixes: 1085b8276bb4 ("tpm: Add the rest of the session HMAC API")
> Reviewed-by: Jonathan McDowell <noodles@meta.com>
> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
> ---
This is for v6.12.
BR, Jarkko
next prev parent reply other threads:[~2026-01-08 12:33 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-08 12:31 [PATCH] tpm2-sessions: Fix out of range indexing in name_size Jarkko Sakkinen
2026-01-08 12:33 ` Jarkko Sakkinen [this message]
2026-01-09 9:45 ` Greg KH
2026-01-14 16:21 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aV-kD5iKi9fwluU0@kernel.org \
--to=jarkko@kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=noodles@meta.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.