Home Home > GIT Browse > openSUSE-15.0
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Suchanek <msuchanek@suse.de>2018-03-14 18:22:54 +0100
committerMichal Suchanek <msuchanek@suse.de>2018-03-14 18:23:00 +0100
commita4fbb692be67aa3feb9c43d2ff0ccc8eec7391cf (patch)
treed8bf314bf1469c240b449eaeb8ca2e8949b44078
parentc1634c03679b062fbd36b8954dbc3f802507602e (diff)
tpm_i2c_nuvoton: fix potential buffer overruns caused by bit
glitches on the bus (bsc#1020645, git-fixes).
-rw-r--r--patches.drivers/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused.patch58
-rw-r--r--series.conf1
2 files changed, 59 insertions, 0 deletions
diff --git a/patches.drivers/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused.patch b/patches.drivers/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused.patch
new file mode 100644
index 0000000000..3dbd856122
--- /dev/null
+++ b/patches.drivers/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused.patch
@@ -0,0 +1,58 @@
+From f9d4d9b5a5ef2f017bc344fb65a58a902517173b Mon Sep 17 00:00:00 2001
+From: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Date: Thu, 8 Feb 2018 12:31:16 -0800
+Subject: [PATCH] tpm_i2c_nuvoton: fix potential buffer overruns caused by bit
+ glitches on the bus
+
+References: bsc#1020645, git-fixes
+Patch-mainline: v4.16-rc4
+Git-commit: f9d4d9b5a5ef2f017bc344fb65a58a902517173b
+
+Discrete TPMs are often connected over slow serial buses which, on
+some platforms, can have glitches causing bit flips. In all the
+driver _recv() functions, we need to use a u32 to unmarshal the
+response size, otherwise a bit flip of the 31st bit would cause the
+expected variable to go negative, which would then try to read a huge
+amount of data. Also sanity check that the expected amount of data is
+large enough for the TPM header.
+
+Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Cc: stable@vger.kernel.org
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/char/tpm/tpm_i2c_nuvoton.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c b/drivers/char/tpm/tpm_i2c_nuvoton.c
+index c6428771841f..caa86b19c76d 100644
+--- a/drivers/char/tpm/tpm_i2c_nuvoton.c
++++ b/drivers/char/tpm/tpm_i2c_nuvoton.c
+@@ -281,7 +281,11 @@ static int i2c_nuvoton_recv(struct tpm_chip *chip, u8 *buf, size_t count)
+ struct device *dev = chip->dev.parent;
+ struct i2c_client *client = to_i2c_client(dev);
+ s32 rc;
+- int expected, status, burst_count, retries, size = 0;
++ int status;
++ int burst_count;
++ int retries;
++ int size = 0;
++ u32 expected;
+
+ if (count < TPM_HEADER_SIZE) {
+ i2c_nuvoton_ready(chip); /* return to idle */
+@@ -323,7 +327,7 @@ static int i2c_nuvoton_recv(struct tpm_chip *chip, u8 *buf, size_t count)
+ * to machine native
+ */
+ expected = be32_to_cpu(*(__be32 *) (buf + 2));
+- if (expected > count) {
++ if (expected > count || expected < size) {
+ dev_err(dev, "%s() expected > count\n", __func__);
+ size = -EIO;
+ continue;
+--
+2.13.6
+
diff --git a/series.conf b/series.conf
index 812490ad92..88b09ee3eb 100644
--- a/series.conf
+++ b/series.conf
@@ -19326,6 +19326,7 @@
patches.drivers/tpm-st33zp24-fix-potential-buffer-overruns-caused-by.patch
patches.drivers/tpm-fix-potential-buffer-overruns-caused-by-bit-glit.patch
patches.drivers/tpm_i2c_infineon-fix-potential-buffer-overruns-cause.patch
+ patches.drivers/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused.patch
patches.arch/ACPICA-Update-TPM2-ACPI-table.patch