From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752052AbdASKpC (ORCPT ); Thu, 19 Jan 2017 05:45:02 -0500 Received: from mga11.intel.com ([192.55.52.93]:48004 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752004AbdASKpB (ORCPT ); Thu, 19 Jan 2017 05:45:01 -0500 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,253,1477983600"; d="scan'208";a="1096149031" Date: Thu, 19 Jan 2017 12:44:59 +0200 From: Jarkko Sakkinen To: Stefan Berger Cc: tpmdd-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v6] tpm: Check size of response before accessing data Message-ID: <20170119104459.4h27piyrksfgpnka@intel.com> References: <1484602871-20145-1-git-send-email-stefanb@linux.vnet.ibm.com> <20170117144905.4haeudj3v5ycohr3@intel.com> <20170118133646.uvbkt7d4blv2pdbn@intel.com> <33bb28b4-6dd5-8455-de44-12b2980006e1@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <33bb28b4-6dd5-8455-de44-12b2980006e1@linux.vnet.ibm.com> Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo User-Agent: Mutt/1.6.2-neo (2016-08-21) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 18, 2017 at 08:53:19AM -0500, Stefan Berger wrote: > On 01/18/2017 08:36 AM, Jarkko Sakkinen wrote: > > On Tue, Jan 17, 2017 at 05:27:47PM -0500, Stefan Berger wrote: > > > On 01/17/2017 09:49 AM, Jarkko Sakkinen wrote: > > > > On Mon, Jan 16, 2017 at 04:41:11PM -0500, Stefan Berger wrote: > > > > > > > > > + * @min_rx_length: minimum expected length of response > > > > Please, rename as min_rsp_body_len and change the description > > > > accordingly. > > > > > > > > > * @flags: tpm transmit flags - bitmap > > > > > * @desc: command description used in the error message > > > > > * > > > > > @@ -434,25 +435,34 @@ ssize_t tpm_transmit(struct tpm_chip *chip, const u8 *buf, size_t bufsiz, > > > > > * A positive number for a TPM error. > > > > > */ > > > > > ssize_t tpm_transmit_cmd(struct tpm_chip *chip, const void *cmd, > > > > > - int len, unsigned int flags, const char *desc) > > > > > + size_t cmd_length, size_t min_rx_length, > > > > > + unsigned int flags, const char *desc) > > > > > { > > > > > const struct tpm_output_header *header; > > > > > int err; > > > > > + ssize_t len; > > > > > - len = tpm_transmit(chip, (const u8 *)cmd, len, flags); > > > > > + len = tpm_transmit(chip, (const u8 *)cmd, cmd_length, flags); > > > > > if (len < 0) > > > > > return len; > > > > > else if (len < TPM_HEADER_SIZE) > > > > > return -EFAULT; > > > > > header = cmd; > > > > > + if (len < be32_to_cpu(header->length)) > > > > > + return -EFAULT; > > > > > err = be32_to_cpu(header->return_code); > > > > > if (err != 0 && desc) > > > > > dev_err(&chip->dev, "A TPM error (%d) occurred %s\n", err, > > > > > desc); > > > > > + if (err) > > > > > + return err; > > > > > - return err; > > > > > + if (be32_to_cpu(header->length) < min_rx_length) > > > > > + return -EFAULT; > > > > > + > > > > > + return 0; > > > > > } > > > > > #define TPM_DIGEST_SIZE 20 > > > > > @@ -468,7 +478,7 @@ static const struct tpm_input_header tpm_getcap_header = { > > > > > }; > > > > > ssize_t tpm_getcap(struct tpm_chip *chip, u32 subcap_id, cap_t *cap, > > > > > - const char *desc) > > > > > + const char *desc, size_t min_cap_length) > > > > tpm_getcap update should be its own commit. > > > tpm_getcap needs to pass something as min_rsp_body_length to > > > tpm_transmit_cmd. What would it pass? > > I do not understand the problem. You are already > > > > TPM_HEADER_SIZE + min_cap_length > > When we make this two patches (commits), what would tpm_getcap pass to > tpm_transmit_cmd in the place of the min_rsp_body_length parameter? I don't > think it makes sense to split up this patch. Aaah. Sorry I didn't follow. You are correct. Lets keep it one patch. /Jarkko