[thirdparty/kernel/stable-queue.git] / releases / 4.9.30 / tpm_crb-check-for-bad-response-size.patch

From 8569defde8057258835c51ce01a33de82e14b148 Mon Sep 17 00:00:00 2001
From: Jerry Snitselaar <jsnitsel@redhat.com>
Date: Fri, 10 Mar 2017 17:46:04 -0700
Subject: tpm_crb: check for bad response size

From: Jerry Snitselaar <jsnitsel@redhat.com>

commit 8569defde8057258835c51ce01a33de82e14b148 upstream.

Make sure size of response buffer is at least 6 bytes, or
we will underflow and pass large size_t to memcpy_fromio().
This was encountered while testing earlier version of
locality patchset.

Fixes: 30fc8d138e912 ("tpm: TPM 2.0 CRB Interface")
Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm_crb.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/char/tpm/tpm_crb.c
+++ b/drivers/char/tpm/tpm_crb.c
@@ -111,8 +111,7 @@ static int crb_recv(struct tpm_chip *chi
 
 	memcpy_fromio(buf, priv->rsp, 6);
 	expected = be32_to_cpup((__be32 *) &buf[2]);
-
-	if (expected > count)
+	if (expected > count || expected < 6)
 		return -EIO;
 
 	memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6);
Commit	Line	Data
208fc782 GKH	1	From 8569defde8057258835c51ce01a33de82e14b148 Mon Sep 17 00:00:00 2001
	2	From: Jerry Snitselaar <jsnitsel@redhat.com>
	3	Date: Fri, 10 Mar 2017 17:46:04 -0700
	4	Subject: tpm_crb: check for bad response size
	5
	6	From: Jerry Snitselaar <jsnitsel@redhat.com>
	7
	8	commit 8569defde8057258835c51ce01a33de82e14b148 upstream.
	9
	10	Make sure size of response buffer is at least 6 bytes, or
	11	we will underflow and pass large size_t to memcpy_fromio().
	12	This was encountered while testing earlier version of
	13	locality patchset.
	14
	15	Fixes: 30fc8d138e912 ("tpm: TPM 2.0 CRB Interface")
	16	Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
	17	Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
	18	Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
	19	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	20
	21	---
	22	drivers/char/tpm/tpm_crb.c \| 3 +--
	23	1 file changed, 1 insertion(+), 2 deletions(-)
	24
	25	--- a/drivers/char/tpm/tpm_crb.c
	26	+++ b/drivers/char/tpm/tpm_crb.c
	27	@@ -111,8 +111,7 @@ static int crb_recv(struct tpm_chip *chi
	28
	29	memcpy_fromio(buf, priv->rsp, 6);
	30	expected = be32_to_cpup((__be32 *) &buf[2]);
	31	-
	32	- if (expected > count)
	33	+ if (expected > count \|\| expected < 6)
	34	return -EIO;
	35
	36	memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6);