Home Home > GIT Browse > openSUSE-15.0
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2018-03-14 21:51:49 +0100
committerTakashi Iwai <tiwai@suse.de>2018-03-14 21:51:49 +0100
commit623211f158ef37462dea063ccc5b4e0b8df94406 (patch)
treec73801f063f403509b262db96053df4d0f03ccde
parent3c7fc3e42b975ba979f405b3dac3d86646a34e4f (diff)
parentcf3a7bbba3a9a660b66f0c98526c4cb3a6b09961 (diff)
Merge branch 'SLE12-SP3' into openSUSE-42.3rpm-4.4.120-45
-rw-r--r--patches.drivers/tpm-dev-common-Reject-too-short-writes.patch49
-rw-r--r--patches.drivers/tpm-fix-potential-buffer-overruns-caused-by-bit-glit.patch62
-rw-r--r--patches.drivers/tpm-st33zp24-fix-potential-buffer-overruns-caused-by.patch54
-rw-r--r--patches.drivers/tpm_i2c_infineon-fix-potential-buffer-overruns-cause.patch55
-rw-r--r--patches.drivers/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused.patch58
-rw-r--r--patches.drivers/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-.patch56
-rw-r--r--series.conf6
7 files changed, 340 insertions, 0 deletions
diff --git a/patches.drivers/tpm-dev-common-Reject-too-short-writes.patch b/patches.drivers/tpm-dev-common-Reject-too-short-writes.patch
new file mode 100644
index 0000000000..2c6f2c8337
--- /dev/null
+++ b/patches.drivers/tpm-dev-common-Reject-too-short-writes.patch
@@ -0,0 +1,49 @@
+From ee70bc1e7b63ac8023c9ff9475d8741e397316e7 Mon Sep 17 00:00:00 2001
+From: Alexander Steffen <Alexander.Steffen@infineon.com>
+Date: Fri, 8 Sep 2017 17:21:32 +0200
+Subject: [PATCH] tpm-dev-common: Reject too short writes
+
+References: bsc#1020645, git-fixes
+Patch-mainline: v4.15-rc1
+Git-commit: ee70bc1e7b63ac8023c9ff9475d8741e397316e7
+
+tpm_transmit() does not offer an explicit interface to indicate the number
+of valid bytes in the communication buffer. Instead, it relies on the
+commandSize field in the TPM header that is encoded within the buffer.
+Therefore, ensure that a) enough data has been written to the buffer, so
+that the commandSize field is present and b) the commandSize field does not
+announce more data than has been written to the buffer.
+
+This should have been fixed with CVE-2011-1161 long ago, but apparently
+a correct version of that patch never made it into the kernel.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexander Steffen <Alexander.Steffen@infineon.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/char/tpm/tpm-dev.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/char/tpm/tpm-dev.c b/drivers/char/tpm/tpm-dev.c
+index 02a8850d3a69..31ad11a39894 100644
+--- a/drivers/char/tpm/tpm-dev.c
++++ b/drivers/char/tpm/tpm-dev.c
+@@ -139,6 +139,12 @@ static ssize_t tpm_write(struct file *file, const char __user *buf,
+ return -EFAULT;
+ }
+
++ if (in_size < 6 ||
++ in_size < be32_to_cpu(*((__be32 *) (priv->data_buffer + 2)))) {
++ mutex_unlock(&priv->buffer_mutex);
++ return -EINVAL;
++ }
++
+ /* atomic tpm command send and result receive. We only hold the ops
+ * lock during this period so that the tpm can be unregistered even if
+ * the char dev is held open.
+--
+2.13.6
+
diff --git a/patches.drivers/tpm-fix-potential-buffer-overruns-caused-by-bit-glit.patch b/patches.drivers/tpm-fix-potential-buffer-overruns-caused-by-bit-glit.patch
new file mode 100644
index 0000000000..4df6b69767
--- /dev/null
+++ b/patches.drivers/tpm-fix-potential-buffer-overruns-caused-by-bit-glit.patch
@@ -0,0 +1,62 @@
+From 3be23274755ee85771270a23af7691dc9b3a95db Mon Sep 17 00:00:00 2001
+From: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Date: Thu, 8 Feb 2018 12:28:08 -0800
+Subject: [PATCH] tpm: fix potential buffer overruns caused by bit glitches on
+ the bus
+
+References: bsc#1020645, git-fixes
+Patch-mainline: v4.16-rc4
+Git-commit: 3be23274755ee85771270a23af7691dc9b3a95db
+
+Discrete TPMs are often connected over slow serial buses which, on
+some platforms, can have glitches causing bit flips. If a bit does
+flip it could cause an overrun if it's in one of the size parameters,
+so sanity check that we're not overrunning the provided buffer when
+doing a memcpy().
+
+Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Cc: stable@vger.kernel.org
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/char/tpm/tpm-interface.c | 4 ++++
+ drivers/char/tpm/tpm2-cmd.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
+index 76df4fbcf089..9e80a953d693 100644
+--- a/drivers/char/tpm/tpm-interface.c
++++ b/drivers/char/tpm/tpm-interface.c
+@@ -1190,6 +1190,10 @@ int tpm_get_random(struct tpm_chip *chip, u8 *out, size_t max)
+ break;
+
+ recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len);
++ if (recd > num_bytes) {
++ total = -EFAULT;
++ break;
++ }
+
+ rlength = be32_to_cpu(tpm_cmd.header.out.length);
+ if (rlength < offsetof(struct tpm_getrandom_out, rng_data) +
+diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
+index c17e75348a99..a700f8f9ead7 100644
+--- a/drivers/char/tpm/tpm2-cmd.c
++++ b/drivers/char/tpm/tpm2-cmd.c
+@@ -683,6 +683,10 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
+ if (!rc) {
+ data_len = be16_to_cpup(
+ (__be16 *) &buf.data[TPM_HEADER_SIZE + 4]);
++ if (data_len < MIN_KEY_SIZE || data_len > MAX_KEY_SIZE + 1) {
++ rc = -EFAULT;
++ goto out;
++ }
+
+ rlength = be32_to_cpu(((struct tpm2_cmd *)&buf)
+ ->header.out.length);
+--
+2.13.6
+
diff --git a/patches.drivers/tpm-st33zp24-fix-potential-buffer-overruns-caused-by.patch b/patches.drivers/tpm-st33zp24-fix-potential-buffer-overruns-caused-by.patch
new file mode 100644
index 0000000000..68ac370d29
--- /dev/null
+++ b/patches.drivers/tpm-st33zp24-fix-potential-buffer-overruns-caused-by.patch
@@ -0,0 +1,54 @@
+From 6d24cd186d9fead3722108dec1b1c993354645ff Mon Sep 17 00:00:00 2001
+From: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Date: Thu, 8 Feb 2018 12:29:09 -0800
+Subject: [PATCH] tpm: st33zp24: fix potential buffer overruns caused by bit
+ glitches on the bus
+
+References: bsc#1020645, git-fixes
+Patch-mainline: v4.16-rc4
+Git-commit: 6d24cd186d9fead3722108dec1b1c993354645ff
+
+Discrete TPMs are often connected over slow serial buses which, on
+some platforms, can have glitches causing bit flips. In all the
+driver _recv() functions, we need to use a u32 to unmarshal the
+response size, otherwise a bit flip of the 31st bit would cause the
+expected variable to go negative, which would then try to read a huge
+amount of data. Also sanity check that the expected amount of data is
+large enough for the TPM header.
+
+Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Cc: stable@vger.kernel.org
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/char/tpm/st33zp24/st33zp24.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/tpm/st33zp24/st33zp24.c b/drivers/char/tpm/st33zp24/st33zp24.c
+index 4d1dc8b46877..f95b9c75175b 100644
+--- a/drivers/char/tpm/st33zp24/st33zp24.c
++++ b/drivers/char/tpm/st33zp24/st33zp24.c
+@@ -457,7 +457,7 @@ static int st33zp24_recv(struct tpm_chip *chip, unsigned char *buf,
+ size_t count)
+ {
+ int size = 0;
+- int expected;
++ u32 expected;
+
+ if (!chip)
+ return -EBUSY;
+@@ -474,7 +474,7 @@ static int st33zp24_recv(struct tpm_chip *chip, unsigned char *buf,
+ }
+
+ expected = be32_to_cpu(*(__be32 *)(buf + 2));
+- if (expected > count) {
++ if (expected > count || expected < TPM_HEADER_SIZE) {
+ size = -EIO;
+ goto out;
+ }
+--
+2.13.6
+
diff --git a/patches.drivers/tpm_i2c_infineon-fix-potential-buffer-overruns-cause.patch b/patches.drivers/tpm_i2c_infineon-fix-potential-buffer-overruns-cause.patch
new file mode 100644
index 0000000000..9a0cd92f0a
--- /dev/null
+++ b/patches.drivers/tpm_i2c_infineon-fix-potential-buffer-overruns-cause.patch
@@ -0,0 +1,55 @@
+From 9b8cb28d7c62568a5916bdd7ea1c9176d7f8f2ed Mon Sep 17 00:00:00 2001
+From: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Date: Thu, 8 Feb 2018 12:30:01 -0800
+Subject: [PATCH] tpm_i2c_infineon: fix potential buffer overruns caused by bit
+ glitches on the bus
+
+References: bsc#1020645, git-fixes
+Patch-mainline: v4.16-rc4
+Git-commit: 9b8cb28d7c62568a5916bdd7ea1c9176d7f8f2ed
+
+Discrete TPMs are often connected over slow serial buses which, on
+some platforms, can have glitches causing bit flips. In all the
+driver _recv() functions, we need to use a u32 to unmarshal the
+response size, otherwise a bit flip of the 31st bit would cause the
+expected variable to go negative, which would then try to read a huge
+amount of data. Also sanity check that the expected amount of data is
+large enough for the TPM header.
+
+Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Cc: stable@vger.kernel.org
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/char/tpm/tpm_i2c_infineon.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm_i2c_infineon.c b/drivers/char/tpm/tpm_i2c_infineon.c
+index c1dd39eaaeeb..6116cd05e228 100644
+--- a/drivers/char/tpm/tpm_i2c_infineon.c
++++ b/drivers/char/tpm/tpm_i2c_infineon.c
+@@ -473,7 +473,8 @@ static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count)
+ static int tpm_tis_i2c_recv(struct tpm_chip *chip, u8 *buf, size_t count)
+ {
+ int size = 0;
+- int expected, status;
++ int status;
++ u32 expected;
+
+ if (count < TPM_HEADER_SIZE) {
+ size = -EIO;
+@@ -488,7 +489,7 @@ static int tpm_tis_i2c_recv(struct tpm_chip *chip, u8 *buf, size_t count)
+ }
+
+ expected = be32_to_cpu(*(__be32 *)(buf + 2));
+- if ((size_t) expected > count) {
++ if (((size_t) expected > count) || (expected < TPM_HEADER_SIZE)) {
+ size = -EIO;
+ goto out;
+ }
+--
+2.13.6
+
diff --git a/patches.drivers/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused.patch b/patches.drivers/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused.patch
new file mode 100644
index 0000000000..3dbd856122
--- /dev/null
+++ b/patches.drivers/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused.patch
@@ -0,0 +1,58 @@
+From f9d4d9b5a5ef2f017bc344fb65a58a902517173b Mon Sep 17 00:00:00 2001
+From: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Date: Thu, 8 Feb 2018 12:31:16 -0800
+Subject: [PATCH] tpm_i2c_nuvoton: fix potential buffer overruns caused by bit
+ glitches on the bus
+
+References: bsc#1020645, git-fixes
+Patch-mainline: v4.16-rc4
+Git-commit: f9d4d9b5a5ef2f017bc344fb65a58a902517173b
+
+Discrete TPMs are often connected over slow serial buses which, on
+some platforms, can have glitches causing bit flips. In all the
+driver _recv() functions, we need to use a u32 to unmarshal the
+response size, otherwise a bit flip of the 31st bit would cause the
+expected variable to go negative, which would then try to read a huge
+amount of data. Also sanity check that the expected amount of data is
+large enough for the TPM header.
+
+Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Cc: stable@vger.kernel.org
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/char/tpm/tpm_i2c_nuvoton.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c b/drivers/char/tpm/tpm_i2c_nuvoton.c
+index c6428771841f..caa86b19c76d 100644
+--- a/drivers/char/tpm/tpm_i2c_nuvoton.c
++++ b/drivers/char/tpm/tpm_i2c_nuvoton.c
+@@ -281,7 +281,11 @@ static int i2c_nuvoton_recv(struct tpm_chip *chip, u8 *buf, size_t count)
+ struct device *dev = chip->dev.parent;
+ struct i2c_client *client = to_i2c_client(dev);
+ s32 rc;
+- int expected, status, burst_count, retries, size = 0;
++ int status;
++ int burst_count;
++ int retries;
++ int size = 0;
++ u32 expected;
+
+ if (count < TPM_HEADER_SIZE) {
+ i2c_nuvoton_ready(chip); /* return to idle */
+@@ -323,7 +327,7 @@ static int i2c_nuvoton_recv(struct tpm_chip *chip, u8 *buf, size_t count)
+ * to machine native
+ */
+ expected = be32_to_cpu(*(__be32 *) (buf + 2));
+- if (expected > count) {
++ if (expected > count || expected < size) {
+ dev_err(dev, "%s() expected > count\n", __func__);
+ size = -EIO;
+ continue;
+--
+2.13.6
+
diff --git a/patches.drivers/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-.patch b/patches.drivers/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-.patch
new file mode 100644
index 0000000000..42e4885fb2
--- /dev/null
+++ b/patches.drivers/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-.patch
@@ -0,0 +1,56 @@
+From 6bb320ca4a4a7b5b3db8c8d7250cc40002046878 Mon Sep 17 00:00:00 2001
+From: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Date: Thu, 8 Feb 2018 12:32:06 -0800
+Subject: [PATCH] tpm_tis: fix potential buffer overruns caused by bit glitches
+ on the bus
+
+References: bsc#1020645, git-fixes
+Patch-mainline: v4.16-rc4
+Git-commit: 6bb320ca4a4a7b5b3db8c8d7250cc40002046878
+
+Discrete TPMs are often connected over slow serial buses which, on
+some platforms, can have glitches causing bit flips. In all the
+driver _recv() functions, we need to use a u32 to unmarshal the
+response size, otherwise a bit flip of the 31st bit would cause the
+expected variable to go negative, which would then try to read a huge
+amount of data. Also sanity check that the expected amount of data is
+large enough for the TPM header.
+
+Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Cc: stable@vger.kernel.org
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/char/tpm/tpm_tis_core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
+index 183a5f54d875..da074e3db19b 100644
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -270,7 +270,8 @@ static int tpm_tis_recv(struct tpm_chip *chip, u8 *buf, size_t count)
+ {
+ struct tpm_tis_data *priv = dev_get_drvdata(&chip->dev);
+ int size = 0;
+- int expected, status;
++ int status;
++ u32 expected;
+
+ if (count < TPM_HEADER_SIZE) {
+ size = -EIO;
+@@ -285,7 +286,7 @@ static int tpm_tis_recv(struct tpm_chip *chip, u8 *buf, size_t count)
+ }
+
+ expected = be32_to_cpu(*(__be32 *) (buf + 2));
+- if (expected > count) {
++ if (expected > count || expected < TPM_HEADER_SIZE) {
+ size = -EIO;
+ goto out;
+ }
+--
+2.13.6
+
diff --git a/series.conf b/series.conf
index 818b448a63..d4d1548acf 100644
--- a/series.conf
+++ b/series.conf
@@ -19321,6 +19321,12 @@
patches.drivers/tpm-183-constify-transmit-data-pointers.patch
patches.drivers/tpm-184-kabi-do-not-bother-with-added-const.patch
patches.drivers/tpm-185-tis_spi-Use-DMA-safe-memory-for-SPI-transfers.patch
+ patches.drivers/tpm-dev-common-Reject-too-short-writes.patch
+ patches.drivers/tpm-st33zp24-fix-potential-buffer-overruns-caused-by.patch
+ patches.drivers/tpm-fix-potential-buffer-overruns-caused-by-bit-glit.patch
+ patches.drivers/tpm_i2c_infineon-fix-potential-buffer-overruns-cause.patch
+ patches.drivers/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused.patch
+ patches.drivers/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-.patch
patches.arch/ACPICA-Update-TPM2-ACPI-table.patch