From 59382916c481bf87627c79cbf06bca00bf96f497 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 6 Mar 2018 10:25:54 -0800 Subject: [PATCH] 4.4-stable patches added patches: tpm-st33zp24-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch tpm_i2c_infineon-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch --- queue-4.4/series | 3 ++ ...ns-caused-by-bit-glitches-on-the-bus.patch | 49 +++++++++++++++++ ...ns-caused-by-bit-glitches-on-the-bus.patch | 50 +++++++++++++++++ ...ns-caused-by-bit-glitches-on-the-bus.patch | 53 +++++++++++++++++++ 4 files changed, 155 insertions(+) create mode 100644 queue-4.4/tpm-st33zp24-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch create mode 100644 queue-4.4/tpm_i2c_infineon-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch create mode 100644 queue-4.4/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch diff --git a/queue-4.4/series b/queue-4.4/series index 14ea8ac7a17..cedd945ef8e 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1 +1,4 @@ bluetooth-btusb-use-dmi-matching-for-qca-reset_resume-quirking.patch +tpm-st33zp24-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch +tpm_i2c_infineon-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch +tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch diff --git a/queue-4.4/tpm-st33zp24-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch b/queue-4.4/tpm-st33zp24-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch new file mode 100644 index 00000000000..face6b44009 --- /dev/null +++ b/queue-4.4/tpm-st33zp24-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch @@ -0,0 +1,49 @@ +From 6d24cd186d9fead3722108dec1b1c993354645ff Mon Sep 17 00:00:00 2001 +From: Jeremy Boone +Date: Thu, 8 Feb 2018 12:29:09 -0800 +Subject: tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus + +From: Jeremy Boone + +commit 6d24cd186d9fead3722108dec1b1c993354645ff upstream. + +Discrete TPMs are often connected over slow serial buses which, on +some platforms, can have glitches causing bit flips. In all the +driver _recv() functions, we need to use a u32 to unmarshal the +response size, otherwise a bit flip of the 31st bit would cause the +expected variable to go negative, which would then try to read a huge +amount of data. Also sanity check that the expected amount of data is +large enough for the TPM header. + +Signed-off-by: Jeremy Boone +Cc: stable@vger.kernel.org +Signed-off-by: James Bottomley +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/st33zp24/st33zp24.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/tpm/st33zp24/st33zp24.c ++++ b/drivers/char/tpm/st33zp24/st33zp24.c +@@ -485,7 +485,7 @@ static int st33zp24_recv(struct tpm_chip + size_t count) + { + int size = 0; +- int expected; ++ u32 expected; + + if (!chip) + return -EBUSY; +@@ -502,7 +502,7 @@ static int st33zp24_recv(struct tpm_chip + } + + expected = be32_to_cpu(*(__be32 *)(buf + 2)); +- if (expected > count) { ++ if (expected > count || expected < TPM_HEADER_SIZE) { + size = -EIO; + goto out; + } diff --git a/queue-4.4/tpm_i2c_infineon-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch b/queue-4.4/tpm_i2c_infineon-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch new file mode 100644 index 00000000000..10908c44042 --- /dev/null +++ b/queue-4.4/tpm_i2c_infineon-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch @@ -0,0 +1,50 @@ +From 9b8cb28d7c62568a5916bdd7ea1c9176d7f8f2ed Mon Sep 17 00:00:00 2001 +From: Jeremy Boone +Date: Thu, 8 Feb 2018 12:30:01 -0800 +Subject: tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus + +From: Jeremy Boone + +commit 9b8cb28d7c62568a5916bdd7ea1c9176d7f8f2ed upstream. + +Discrete TPMs are often connected over slow serial buses which, on +some platforms, can have glitches causing bit flips. In all the +driver _recv() functions, we need to use a u32 to unmarshal the +response size, otherwise a bit flip of the 31st bit would cause the +expected variable to go negative, which would then try to read a huge +amount of data. Also sanity check that the expected amount of data is +large enough for the TPM header. + +Signed-off-by: Jeremy Boone +Cc: stable@vger.kernel.org +Signed-off-by: James Bottomley +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_i2c_infineon.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/char/tpm/tpm_i2c_infineon.c ++++ b/drivers/char/tpm/tpm_i2c_infineon.c +@@ -436,7 +436,8 @@ static int recv_data(struct tpm_chip *ch + static int tpm_tis_i2c_recv(struct tpm_chip *chip, u8 *buf, size_t count) + { + int size = 0; +- int expected, status; ++ int status; ++ u32 expected; + + if (count < TPM_HEADER_SIZE) { + size = -EIO; +@@ -451,7 +452,7 @@ static int tpm_tis_i2c_recv(struct tpm_c + } + + expected = be32_to_cpu(*(__be32 *)(buf + 2)); +- if ((size_t) expected > count) { ++ if (((size_t) expected > count) || (expected < TPM_HEADER_SIZE)) { + size = -EIO; + goto out; + } diff --git a/queue-4.4/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch b/queue-4.4/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch new file mode 100644 index 00000000000..efd32d36d40 --- /dev/null +++ b/queue-4.4/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch @@ -0,0 +1,53 @@ +From f9d4d9b5a5ef2f017bc344fb65a58a902517173b Mon Sep 17 00:00:00 2001 +From: Jeremy Boone +Date: Thu, 8 Feb 2018 12:31:16 -0800 +Subject: tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus + +From: Jeremy Boone + +commit f9d4d9b5a5ef2f017bc344fb65a58a902517173b upstream. + +Discrete TPMs are often connected over slow serial buses which, on +some platforms, can have glitches causing bit flips. In all the +driver _recv() functions, we need to use a u32 to unmarshal the +response size, otherwise a bit flip of the 31st bit would cause the +expected variable to go negative, which would then try to read a huge +amount of data. Also sanity check that the expected amount of data is +large enough for the TPM header. + +Signed-off-by: Jeremy Boone +Cc: stable@vger.kernel.org +Signed-off-by: James Bottomley +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_i2c_nuvoton.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/char/tpm/tpm_i2c_nuvoton.c ++++ b/drivers/char/tpm/tpm_i2c_nuvoton.c +@@ -267,7 +267,11 @@ static int i2c_nuvoton_recv(struct tpm_c + struct device *dev = chip->dev.parent; + struct i2c_client *client = to_i2c_client(dev); + s32 rc; +- int expected, status, burst_count, retries, size = 0; ++ int status; ++ int burst_count; ++ int retries; ++ int size = 0; ++ u32 expected; + + if (count < TPM_HEADER_SIZE) { + i2c_nuvoton_ready(chip); /* return to idle */ +@@ -309,7 +313,7 @@ static int i2c_nuvoton_recv(struct tpm_c + * to machine native + */ + expected = be32_to_cpu(*(__be32 *) (buf + 2)); +- if (expected > count) { ++ if (expected > count || expected < size) { + dev_err(dev, "%s() expected > count\n", __func__); + size = -EIO; + continue; -- 2.47.3