summaryrefslogtreecommitdiff
path: root/drivers/char
diff options
context:
space:
mode:
authorJeremy Boone <jeremy.boone@nccgroup.trust>2018-02-08 23:31:16 +0300
committerJames Morris <james.morris@microsoft.com>2018-02-27 02:43:44 +0300
commitf9d4d9b5a5ef2f017bc344fb65a58a902517173b (patch)
tree61c7e930f780cd8e27a8c794821c6e9c5a6c7ab3 /drivers/char
parent6bb320ca4a4a7b5b3db8c8d7250cc40002046878 (diff)
downloadlinux-f9d4d9b5a5ef2f017bc344fb65a58a902517173b.tar.xz
tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus
Discrete TPMs are often connected over slow serial buses which, on some platforms, can have glitches causing bit flips. In all the driver _recv() functions, we need to use a u32 to unmarshal the response size, otherwise a bit flip of the 31st bit would cause the expected variable to go negative, which would then try to read a huge amount of data. Also sanity check that the expected amount of data is large enough for the TPM header. Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust> Cc: stable@vger.kernel.org Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: James Morris <james.morris@microsoft.com>
Diffstat (limited to 'drivers/char')
-rw-r--r--drivers/char/tpm/tpm_i2c_nuvoton.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c b/drivers/char/tpm/tpm_i2c_nuvoton.c
index c6428771841f..caa86b19c76d 100644
--- a/drivers/char/tpm/tpm_i2c_nuvoton.c
+++ b/drivers/char/tpm/tpm_i2c_nuvoton.c
@@ -281,7 +281,11 @@ static int i2c_nuvoton_recv(struct tpm_chip *chip, u8 *buf, size_t count)
struct device *dev = chip->dev.parent;
struct i2c_client *client = to_i2c_client(dev);
s32 rc;
- int expected, status, burst_count, retries, size = 0;
+ int status;
+ int burst_count;
+ int retries;
+ int size = 0;
+ u32 expected;
if (count < TPM_HEADER_SIZE) {
i2c_nuvoton_ready(chip); /* return to idle */
@@ -323,7 +327,7 @@ static int i2c_nuvoton_recv(struct tpm_chip *chip, u8 *buf, size_t count)
* to machine native
*/
expected = be32_to_cpu(*(__be32 *) (buf + 2));
- if (expected > count) {
+ if (expected > count || expected < size) {
dev_err(dev, "%s() expected > count\n", __func__);
size = -EIO;
continue;