Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Suchanek <msuchanek@suse.de>2018-03-14 18:22:54 +0100
committerMichal Suchanek <msuchanek@suse.de>2018-03-14 18:23:00 +0100
commitcf3a7bbba3a9a660b66f0c98526c4cb3a6b09961 (patch)
tree7810722e35f262129686ab50dc301e530f52d225
parenta4fbb692be67aa3feb9c43d2ff0ccc8eec7391cf (diff)
tpm_tis: fix potential buffer overruns caused by bit glitchesrpm-4.4.120-94.17
on the bus (bsc#1020645, git-fixes).
-rw-r--r--patches.drivers/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-.patch56
-rw-r--r--series.conf1
2 files changed, 57 insertions, 0 deletions
diff --git a/patches.drivers/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-.patch b/patches.drivers/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-.patch
new file mode 100644
index 0000000000..42e4885fb2
--- /dev/null
+++ b/patches.drivers/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-.patch
@@ -0,0 +1,56 @@
+From 6bb320ca4a4a7b5b3db8c8d7250cc40002046878 Mon Sep 17 00:00:00 2001
+From: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Date: Thu, 8 Feb 2018 12:32:06 -0800
+Subject: [PATCH] tpm_tis: fix potential buffer overruns caused by bit glitches
+ on the bus
+
+References: bsc#1020645, git-fixes
+Patch-mainline: v4.16-rc4
+Git-commit: 6bb320ca4a4a7b5b3db8c8d7250cc40002046878
+
+Discrete TPMs are often connected over slow serial buses which, on
+some platforms, can have glitches causing bit flips. In all the
+driver _recv() functions, we need to use a u32 to unmarshal the
+response size, otherwise a bit flip of the 31st bit would cause the
+expected variable to go negative, which would then try to read a huge
+amount of data. Also sanity check that the expected amount of data is
+large enough for the TPM header.
+
+Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
+Cc: stable@vger.kernel.org
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/char/tpm/tpm_tis_core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
+index 183a5f54d875..da074e3db19b 100644
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -270,7 +270,8 @@ static int tpm_tis_recv(struct tpm_chip *chip, u8 *buf, size_t count)
+ {
+ struct tpm_tis_data *priv = dev_get_drvdata(&chip->dev);
+ int size = 0;
+- int expected, status;
++ int status;
++ u32 expected;
+
+ if (count < TPM_HEADER_SIZE) {
+ size = -EIO;
+@@ -285,7 +286,7 @@ static int tpm_tis_recv(struct tpm_chip *chip, u8 *buf, size_t count)
+ }
+
+ expected = be32_to_cpu(*(__be32 *) (buf + 2));
+- if (expected > count) {
++ if (expected > count || expected < TPM_HEADER_SIZE) {
+ size = -EIO;
+ goto out;
+ }
+--
+2.13.6
+
diff --git a/series.conf b/series.conf
index 88b09ee3eb..fe07acaa58 100644
--- a/series.conf
+++ b/series.conf
@@ -19327,6 +19327,7 @@
patches.drivers/tpm-fix-potential-buffer-overruns-caused-by-bit-glit.patch
patches.drivers/tpm_i2c_infineon-fix-potential-buffer-overruns-cause.patch
patches.drivers/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused.patch
+ patches.drivers/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-.patch
patches.arch/ACPICA-Update-TPM2-ACPI-table.patch