[PATCH v2] tpm: fix event_size output in tpm1_binary_bios_measurements

Linux kernel -stable discussions
 help / color / mirror / Atom feed

* [PATCH v2] tpm: fix event_size output in tpm1_binary_bios_measurements_show
@ 2026-05-22  9:44 Thorsten Blum
  2026-05-22 12:55 ` Jarkko Sakkinen
  0 siblings, 1 reply; 2+ messages in thread
From: Thorsten Blum @ 2026-05-22  9:44 UTC (permalink / raw)
  To: Peter Huewe, Jarkko Sakkinen, Jason Gunthorpe, Colin Ian King,
	Harald Hoyer
  Cc: Thorsten Blum, stable, linux-integrity, linux-kernel

Commit 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements")
split the output to write the endian-converted event header first and
then the variable-length event data.

However, the split was at sizeof(struct tcpa_event) - 1, even though
event_data was a zero-length array, and later a flexible array member,
both of which already excluded the event data.

Therefore, the current code writes the first three bytes of event_size
from the endian-converted header and then the last byte from the raw
header, which can emit a corrupted event_size on PPC64, where
do_endian_conversion() maps to be32_to_cpu().

Split one byte later to write the full endian-converted header first,
followed by the variable-length event->event_data.

Fixes: 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
Changes in v2:
- Minimal fix without using seq_write()
- v1: https://lore.kernel.org/lkml/20260521093639.162095-3-thorsten.blum@linux.dev/
---
 drivers/char/tpm/eventlog/tpm1.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/char/tpm/eventlog/tpm1.c b/drivers/char/tpm/eventlog/tpm1.c
index e7913b2853d5..0397e3361020 100644
--- a/drivers/char/tpm/eventlog/tpm1.c
+++ b/drivers/char/tpm/eventlog/tpm1.c
@@ -236,12 +236,12 @@ static int tpm1_binary_bios_measurements_show(struct seq_file *m, void *v)

 	temp_ptr = (char *) &temp_event;

-	for (i = 0; i < (sizeof(struct tcpa_event) - 1) ; i++)
+	for (i = 0; i < sizeof(struct tcpa_event); i++)
 		seq_putc(m, temp_ptr[i]);

 	temp_ptr = (char *) v;

-	for (i = (sizeof(struct tcpa_event) - 1);
+	for (i = sizeof(struct tcpa_event);
 	     i < (sizeof(struct tcpa_event) + temp_event.event_size); i++)
 		seq_putc(m, temp_ptr[i]);

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH v2] tpm: fix event_size output in tpm1_binary_bios_measurements_show
  2026-05-22  9:44 [PATCH v2] tpm: fix event_size output in tpm1_binary_bios_measurements_show Thorsten Blum
@ 2026-05-22 12:55 ` Jarkko Sakkinen
  0 siblings, 0 replies; 2+ messages in thread
From: Jarkko Sakkinen @ 2026-05-22 12:55 UTC (permalink / raw)
  To: Thorsten Blum
  Cc: Peter Huewe, Jason Gunthorpe, Colin Ian King, Harald Hoyer,
	stable, linux-integrity, linux-kernel

On Fri, May 22, 2026 at 11:44:38AM +0200, Thorsten Blum wrote:
> Commit 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements")
> split the output to write the endian-converted event header first and
> then the variable-length event data.
> 
> However, the split was at sizeof(struct tcpa_event) - 1, even though
> event_data was a zero-length array, and later a flexible array member,
> both of which already excluded the event data.
> 
> Therefore, the current code writes the first three bytes of event_size
> from the endian-converted header and then the last byte from the raw
> header, which can emit a corrupted event_size on PPC64, where
> do_endian_conversion() maps to be32_to_cpu().
> 
> Split one byte later to write the full endian-converted header first,
> followed by the variable-length event->event_data.
> 
> Fixes: 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements")
> Cc: stable@vger.kernel.org
> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
> ---
> Changes in v2:
> - Minimal fix without using seq_write()
> - v1: https://lore.kernel.org/lkml/20260521093639.162095-3-thorsten.blum@linux.dev/
> ---
>  drivers/char/tpm/eventlog/tpm1.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/char/tpm/eventlog/tpm1.c b/drivers/char/tpm/eventlog/tpm1.c
> index e7913b2853d5..0397e3361020 100644
> --- a/drivers/char/tpm/eventlog/tpm1.c
> +++ b/drivers/char/tpm/eventlog/tpm1.c
> @@ -236,12 +236,12 @@ static int tpm1_binary_bios_measurements_show(struct seq_file *m, void *v)
>  
>  	temp_ptr = (char *) &temp_event;
>  
> -	for (i = 0; i < (sizeof(struct tcpa_event) - 1) ; i++)
> +	for (i = 0; i < sizeof(struct tcpa_event); i++)
>  		seq_putc(m, temp_ptr[i]);
>  
>  	temp_ptr = (char *) v;
>  
> -	for (i = (sizeof(struct tcpa_event) - 1);
> +	for (i = sizeof(struct tcpa_event);
>  	     i < (sizeof(struct tcpa_event) + temp_event.event_size); i++)
>  		seq_putc(m, temp_ptr[i]);
>  

This was really good catch, thank you. I'll apply in a minute.

BR, Jarkko

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-22 12:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-22  9:44 [PATCH v2] tpm: fix event_size output in tpm1_binary_bios_measurements_show Thorsten Blum
2026-05-22 12:55 ` Jarkko Sakkinen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox