From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com ([192.55.52.88]:27749 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966842AbeCAKbe (ORCPT ); Thu, 1 Mar 2018 05:31:34 -0500 Date: Thu, 1 Mar 2018 12:31:30 +0200 From: Jarkko Sakkinen To: Eduardo Valentin Cc: gregkh@linuxfoundation.org, Alexander.Steffen@infineon.com, stable@vger.kernel.org Subject: Re: FAILED: patch "[PATCH] tpm-dev-common: Reject too short writes" failed to apply to 4.9-stable tree Message-ID: <20180301103130.GD32447@linux.intel.com> References: <151128317714777@kroah.com> <20180301004107.GA24313@u40b0340c692b58f6553c.ant.amazon.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180301004107.GA24313@u40b0340c692b58f6553c.ant.amazon.com> Sender: stable-owner@vger.kernel.org List-ID: On Wed, Feb 28, 2018 at 04:41:07PM -0800, Eduardo Valentin wrote: > Greg, Folks, > > On Tue, Nov 21, 2017 at 05:52:57PM +0100, gregkh@linuxfoundation.org wrote: > > > > The patch below does not apply to the 4.9-stable tree. > > If someone wants it applied there, or to any other stable or longterm > > tree, then please email the backport, including the original git commit > > id to . > > > I noticed that this patch is in other stable branches, but not for 4.9.y. > The patch did not apply cleanly because the file name has changed. So, > I did the backport by simply applying on the filename current on 4.9.y. Looks correct to me. /Jarkko > > Patch will look like this: > > ---- > > From f16fa6209d65358ce26e159c5966d8a35e6ec602 Mon Sep 17 00:00:00 2001 > From: Alexander Steffen > Date: Fri, 8 Sep 2017 17:21:32 +0200 > Subject: [PATCH 1/1] tpm-dev-common: Reject too short writes > > tpm_transmit() does not offer an explicit interface to indicate the number > of valid bytes in the communication buffer. Instead, it relies on the > commandSize field in the TPM header that is encoded within the buffer. > Therefore, ensure that a) enough data has been written to the buffer, so > that the commandSize field is present and b) the commandSize field does not > announce more data than has been written to the buffer. > > This should have been fixed with CVE-2011-1161 long ago, but apparently > a correct version of that patch never made it into the kernel. > > Cc: stable@vger.kernel.org > Signed-off-by: Alexander Steffen > Reviewed-by: Jarkko Sakkinen > Tested-by: Jarkko Sakkinen > Signed-off-by: Jarkko Sakkinen > (cherry picked from commit ee70bc1e7b63ac8023c9ff9475d8741e397316e7) > Signed-off-by: Eduardo Valentin > --- > drivers/char/tpm/tpm-dev.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/char/tpm/tpm-dev.c b/drivers/char/tpm/tpm-dev.c > index 912ad30..65b8249 100644 > --- a/drivers/char/tpm/tpm-dev.c > +++ b/drivers/char/tpm/tpm-dev.c > @@ -136,6 +136,12 @@ static ssize_t tpm_write(struct file *file, const char __user *buf, > return -EFAULT; > } > > + if (in_size < 6 || > + in_size < be32_to_cpu(*((__be32 *) (priv->data_buffer + 2)))) { > + mutex_unlock(&priv->buffer_mutex); > + return -EINVAL; > + } > + > /* atomic tpm command send and result receive. We only hold the ops > * lock during this period so that the tpm can be unregistered even if > * the char dev is held open. > -- > 2.7.4 >