git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Jarkko Sakkinen <jarkko@kernel.org>
	Sun, 30 Nov 2025 19:07:12 +0000 (21:07 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 2 Jan 2026 11:57:11 +0000 (12:57 +0100)
commit	04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43
tree	86bdc031a41f24a08a8028f98a3932888f2b1611	tree \| snapshot
parent	cebbf5d16bb2bd86f90f32e6a912d7730ca0699a	commit \| diff

tpm2-sessions: Fix out of range indexing in name_size

commit 6e9722e9a7bfe1bbad649937c811076acf86e1fd upstream.

'name_size' does not have any range checks, and it just directly indexes
with TPM_ALG_ID, which could lead into memory corruption at worst.

Address the issue by only processing known values and returning -EINVAL for
unrecognized values.

Make also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so
that errors are detected before causing any spurious TPM traffic.

End also the authorization session on failure in both of the functions, as
the session state would be then by definition corrupted.

Cc: stable@vger.kernel.org # v6.10+
Fixes: 1085b8276bb4 ("tpm: Add the rest of the session HMAC API")
Reviewed-by: Jonathan McDowell <noodles@meta.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/char/tpm/tpm2-cmd.c		diff \| blob \| blame \| history
drivers/char/tpm/tpm2-sessions.c		diff \| blob \| blame \| history
include/linux/tpm.h		diff \| blob \| blame \| history
security/keys/trusted-keys/trusted_tpm2.c		diff \| blob \| blame \| history