]>
Commit | Line | Data |
---|---|---|
208fc782 GKH |
1 | From 8569defde8057258835c51ce01a33de82e14b148 Mon Sep 17 00:00:00 2001 |
2 | From: Jerry Snitselaar <jsnitsel@redhat.com> | |
3 | Date: Fri, 10 Mar 2017 17:46:04 -0700 | |
4 | Subject: tpm_crb: check for bad response size | |
5 | ||
6 | From: Jerry Snitselaar <jsnitsel@redhat.com> | |
7 | ||
8 | commit 8569defde8057258835c51ce01a33de82e14b148 upstream. | |
9 | ||
10 | Make sure size of response buffer is at least 6 bytes, or | |
11 | we will underflow and pass large size_t to memcpy_fromio(). | |
12 | This was encountered while testing earlier version of | |
13 | locality patchset. | |
14 | ||
15 | Fixes: 30fc8d138e912 ("tpm: TPM 2.0 CRB Interface") | |
16 | Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com> | |
17 | Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> | |
18 | Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> | |
19 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
20 | ||
21 | --- | |
22 | drivers/char/tpm/tpm_crb.c | 3 +-- | |
23 | 1 file changed, 1 insertion(+), 2 deletions(-) | |
24 | ||
25 | --- a/drivers/char/tpm/tpm_crb.c | |
26 | +++ b/drivers/char/tpm/tpm_crb.c | |
27 | @@ -111,8 +111,7 @@ static int crb_recv(struct tpm_chip *chi | |
28 | ||
29 | memcpy_fromio(buf, priv->rsp, 6); | |
30 | expected = be32_to_cpup((__be32 *) &buf[2]); | |
31 | - | |
32 | - if (expected > count) | |
33 | + if (expected > count || expected < 6) | |
34 | return -EIO; | |
35 | ||
36 | memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6); |