From: Greg Kroah-Hartman Date: Fri, 3 Jun 2022 16:21:07 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.9.317~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4d28fd8a374158f6046e0f5139ae1e77c57aed81;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: tpm-fix-buffer-access-in-tpm2_get_tpm_pt.patch tpm-ibmvtpm-correct-the-return-value-in-tpm_ibmvtpm_probe.patch --- diff --git a/queue-5.4/series b/queue-5.4/series index ce99c1c0dc8..d6352cc591a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -26,3 +26,5 @@ dm-stats-add-cond_resched-when-looping-over-entries.patch dm-verity-set-dm_target_immutable-feature-flag.patch raid5-introduce-md_broken.patch hid-multitouch-add-support-for-google-whiskers-touchpad.patch +tpm-fix-buffer-access-in-tpm2_get_tpm_pt.patch +tpm-ibmvtpm-correct-the-return-value-in-tpm_ibmvtpm_probe.patch diff --git a/queue-5.4/tpm-fix-buffer-access-in-tpm2_get_tpm_pt.patch b/queue-5.4/tpm-fix-buffer-access-in-tpm2_get_tpm_pt.patch new file mode 100644 index 00000000000..7386eab4bcd --- /dev/null +++ b/queue-5.4/tpm-fix-buffer-access-in-tpm2_get_tpm_pt.patch @@ -0,0 +1,46 @@ +From e57b2523bd37e6434f4e64c7a685e3715ad21e9a Mon Sep 17 00:00:00 2001 +From: Stefan Mahnke-Hartmann +Date: Fri, 13 May 2022 15:41:51 +0200 +Subject: tpm: Fix buffer access in tpm2_get_tpm_pt() + +From: Stefan Mahnke-Hartmann + +commit e57b2523bd37e6434f4e64c7a685e3715ad21e9a upstream. + +Under certain conditions uninitialized memory will be accessed. +As described by TCG Trusted Platform Module Library Specification, +rev. 1.59 (Part 3: Commands), if a TPM2_GetCapability is received, +requesting a capability, the TPM in field upgrade mode may return a +zero length list. +Check the property count in tpm2_get_tpm_pt(). + +Fixes: 2ab3241161b3 ("tpm: migrate tpm2_get_tpm_pt() to use struct tpm_buf") +Cc: stable@vger.kernel.org +Signed-off-by: Stefan Mahnke-Hartmann +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm2-cmd.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm2-cmd.c ++++ b/drivers/char/tpm/tpm2-cmd.c +@@ -706,7 +706,16 @@ ssize_t tpm2_get_tpm_pt(struct tpm_chip + if (!rc) { + out = (struct tpm2_get_cap_out *) + &buf.data[TPM_HEADER_SIZE]; +- *value = be32_to_cpu(out->value); ++ /* ++ * To prevent failing boot up of some systems, Infineon TPM2.0 ++ * returns SUCCESS on TPM2_Startup in field upgrade mode. Also ++ * the TPM2_Getcapability command returns a zero length list ++ * in field upgrade mode. ++ */ ++ if (be32_to_cpu(out->property_cnt) > 0) ++ *value = be32_to_cpu(out->value); ++ else ++ rc = -ENODATA; + } + tpm_buf_destroy(&buf); + return rc; diff --git a/queue-5.4/tpm-ibmvtpm-correct-the-return-value-in-tpm_ibmvtpm_probe.patch b/queue-5.4/tpm-ibmvtpm-correct-the-return-value-in-tpm_ibmvtpm_probe.patch new file mode 100644 index 00000000000..f2ae16dcb35 --- /dev/null +++ b/queue-5.4/tpm-ibmvtpm-correct-the-return-value-in-tpm_ibmvtpm_probe.patch @@ -0,0 +1,32 @@ +From d0dc1a7100f19121f6e7450f9cdda11926aa3838 Mon Sep 17 00:00:00 2001 +From: Xiu Jianfeng +Date: Fri, 18 Mar 2022 14:02:01 +0800 +Subject: tpm: ibmvtpm: Correct the return value in tpm_ibmvtpm_probe() + +From: Xiu Jianfeng + +commit d0dc1a7100f19121f6e7450f9cdda11926aa3838 upstream. + +Currently it returns zero when CRQ response timed out, it should return +an error code instead. + +Fixes: d8d74ea3c002 ("tpm: ibmvtpm: Wait for buffer to be set before proceeding") +Signed-off-by: Xiu Jianfeng +Reviewed-by: Stefan Berger +Acked-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_ibmvtpm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/char/tpm/tpm_ibmvtpm.c ++++ b/drivers/char/tpm/tpm_ibmvtpm.c +@@ -685,6 +685,7 @@ static int tpm_ibmvtpm_probe(struct vio_ + if (!wait_event_timeout(ibmvtpm->crq_queue.wq, + ibmvtpm->rtce_buf != NULL, + HZ)) { ++ rc = -ENODEV; + dev_err(dev, "CRQ response timed out\n"); + goto init_irq_cleanup; + }