From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753972AbdIETGF (ORCPT ); Tue, 5 Sep 2017 15:06:05 -0400 Received: from mga04.intel.com ([192.55.52.120]:47508 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752327AbdIETGA (ORCPT ); Tue, 5 Sep 2017 15:06:00 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.41,480,1498546800"; d="scan'208";a="145775529" Date: Tue, 5 Sep 2017 22:05:55 +0300 From: Jarkko Sakkinen To: Alexander Steffen Cc: tpmdd-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v2] tpm-dev-common: Reject too short writes Message-ID: <20170905190555.gfnpoohbptbjvbg3@linux.intel.com> References: <20170904173642.5988-1-Alexander.Steffen@infineon.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170904173642.5988-1-Alexander.Steffen@infineon.com> Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 04, 2017 at 07:36:42PM +0200, Alexander Steffen wrote: > tpm_transmit() does not offer an explicit interface to indicate the number > of valid bytes in the communication buffer. Instead, it relies on the > commandSize field in the TPM header that is encoded within the buffer. > Therefore, ensure that a) enough data has been written to the buffer, so > that the commandSize field is present and b) the commandSize field does not > announce more data than has been written to the buffer. > > This should have been fixed with CVE-2011-1161 long ago, but apparently > a correct version of that patch never made it into the kernel. > > Cc: stable@vger.kernel.org > Signed-off-by: Alexander Steffen > --- > v2: > - Moved all changes to tpm_common_write in a single patch. > > drivers/char/tpm/tpm-dev-common.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c > index 610638a..ac25574 100644 > --- a/drivers/char/tpm/tpm-dev-common.c > +++ b/drivers/char/tpm/tpm-dev-common.c > @@ -99,7 +99,8 @@ ssize_t tpm_common_write(struct file *file, const char __user *buf, > if (atomic_read(&priv->data_pending) != 0) > return -EBUSY; > > - if (in_size > TPM_BUFSIZE) > + if (in_size > sizeof(priv->data_buffer) || in_size < 6 || > + in_size < be32_to_cpu(*((__be32 *) (buf + 2)))) > return -E2BIG; > > mutex_lock(&priv->buffer_mutex); > -- > 2.7.4 > Reviewed-by: Jarkko Sakkinen There's now some delay getting patches to my git tree because next week is conference week and I have lots of stuff to do before I depart Finland. I'm sorry about that. At latest I push these during the plane trip (I can remotely access test machines with plane internet connection, not the first time I'm doing this). /Jarkko