* [PATCH] tpm: fix event_size output in tpm1_binary_bios_measurements_show
@ 2026-05-21 9:36 Thorsten Blum
2026-05-22 0:30 ` Jarkko Sakkinen
0 siblings, 1 reply; 2+ messages in thread
From: Thorsten Blum @ 2026-05-21 9:36 UTC (permalink / raw)
To: Peter Huewe, Jarkko Sakkinen, Jason Gunthorpe, Colin Ian King,
Harald Hoyer
Cc: Thorsten Blum, stable, linux-integrity, linux-kernel
Commit 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements")
split the output to write the endian-converted event header first and
then the variable-length event data.
However, the split was at sizeof(struct tcpa_event) - 1, even though
event_data was a zero-length array, and later a flexible array member,
both of which already excluded the event data.
Therefore, the current code writes the first three bytes of event_size
from the endian-converted header and then the last byte from the raw
header, which can emit a corrupted event_size on PPC64, where
do_endian_conversion() maps to be32_to_cpu().
Use seq_write() to write the full endian-converted header, followed by
the variable-length event->event_data.
Drop the obvious comment while at it.
Fixes: 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
drivers/char/tpm/eventlog/tpm1.c | 16 ++--------------
1 file changed, 2 insertions(+), 14 deletions(-)
diff --git a/drivers/char/tpm/eventlog/tpm1.c b/drivers/char/tpm/eventlog/tpm1.c
index e7913b2853d5..291720e89d91 100644
--- a/drivers/char/tpm/eventlog/tpm1.c
+++ b/drivers/char/tpm/eventlog/tpm1.c
@@ -224,29 +224,17 @@ static int tpm1_binary_bios_measurements_show(struct seq_file *m, void *v)
{
struct tcpa_event *event = v;
struct tcpa_event temp_event;
- char *temp_ptr;
- int i;
memcpy(&temp_event, event, sizeof(struct tcpa_event));
- /* convert raw integers for endianness */
temp_event.pcr_index = do_endian_conversion(event->pcr_index);
temp_event.event_type = do_endian_conversion(event->event_type);
temp_event.event_size = do_endian_conversion(event->event_size);
- temp_ptr = (char *) &temp_event;
-
- for (i = 0; i < (sizeof(struct tcpa_event) - 1) ; i++)
- seq_putc(m, temp_ptr[i]);
-
- temp_ptr = (char *) v;
-
- for (i = (sizeof(struct tcpa_event) - 1);
- i < (sizeof(struct tcpa_event) + temp_event.event_size); i++)
- seq_putc(m, temp_ptr[i]);
+ seq_write(m, &temp_event, sizeof(temp_event));
+ seq_write(m, event->event_data, temp_event.event_size);
return 0;
-
}
static int tpm1_ascii_bios_measurements_show(struct seq_file *m, void *v)
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] tpm: fix event_size output in tpm1_binary_bios_measurements_show
2026-05-21 9:36 [PATCH] tpm: fix event_size output in tpm1_binary_bios_measurements_show Thorsten Blum
@ 2026-05-22 0:30 ` Jarkko Sakkinen
0 siblings, 0 replies; 2+ messages in thread
From: Jarkko Sakkinen @ 2026-05-22 0:30 UTC (permalink / raw)
To: Thorsten Blum
Cc: Peter Huewe, Jason Gunthorpe, Colin Ian King, Harald Hoyer,
stable, linux-integrity, linux-kernel
On Thu, May 21, 2026 at 11:36:39AM +0200, Thorsten Blum wrote:
> Commit 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements")
> split the output to write the endian-converted event header first and
> then the variable-length event data.
>
> However, the split was at sizeof(struct tcpa_event) - 1, even though
> event_data was a zero-length array, and later a flexible array member,
> both of which already excluded the event data.
>
> Therefore, the current code writes the first three bytes of event_size
> from the endian-converted header and then the last byte from the raw
> header, which can emit a corrupted event_size on PPC64, where
> do_endian_conversion() maps to be32_to_cpu().
>
> Use seq_write() to write the full endian-converted header, followed by
> the variable-length event->event_data.
>
> Drop the obvious comment while at it.
>
> Fixes: 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements")
> Cc: stable@vger.kernel.org
> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
> ---
> drivers/char/tpm/eventlog/tpm1.c | 16 ++--------------
> 1 file changed, 2 insertions(+), 14 deletions(-)
Got it, I think you're probably right.
>
> diff --git a/drivers/char/tpm/eventlog/tpm1.c b/drivers/char/tpm/eventlog/tpm1.c
> index e7913b2853d5..291720e89d91 100644
> --- a/drivers/char/tpm/eventlog/tpm1.c
> +++ b/drivers/char/tpm/eventlog/tpm1.c
> @@ -224,29 +224,17 @@ static int tpm1_binary_bios_measurements_show(struct seq_file *m, void *v)
> {
> struct tcpa_event *event = v;
> struct tcpa_event temp_event;
> - char *temp_ptr;
> - int i;
>
> memcpy(&temp_event, event, sizeof(struct tcpa_event));
>
> - /* convert raw integers for endianness */
spurious change
> temp_event.pcr_index = do_endian_conversion(event->pcr_index);
> temp_event.event_type = do_endian_conversion(event->event_type);
> temp_event.event_size = do_endian_conversion(event->event_size);
>
> - temp_ptr = (char *) &temp_event;
> -
> - for (i = 0; i < (sizeof(struct tcpa_event) - 1) ; i++)
> - seq_putc(m, temp_ptr[i]);
Why changing condition does not fix the bug? This could be just +-1 line
change.
> -
> - temp_ptr = (char *) v;
> -
> - for (i = (sizeof(struct tcpa_event) - 1);
> - i < (sizeof(struct tcpa_event) + temp_event.event_size); i++)
> - seq_putc(m, temp_ptr[i]);
> + seq_write(m, &temp_event, sizeof(temp_event));
> + seq_write(m, event->event_data, temp_event.event_size);
>
> return 0;
> -
> }
>
> static int tpm1_ascii_bios_measurements_show(struct seq_file *m, void *v)
BR, Jarkko
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-22 0:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-21 9:36 [PATCH] tpm: fix event_size output in tpm1_binary_bios_measurements_show Thorsten Blum
2026-05-22 0:30 ` Jarkko Sakkinen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox