git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Jarkko Sakkinen <jarkko@kernel.org>
	Sun, 30 Nov 2025 19:07:12 +0000 (21:07 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 17 Jan 2026 15:31:29 +0000 (16:31 +0100)
commit	47e676ce4d68f461dfcab906f6aeb254f7276deb
tree	77fd0d11b2df0d529df8a66340928a522b40f497	tree \| snapshot
parent	42440155fe2759da9404d55515b9e96d0818a479	commit \| diff

tpm2-sessions: Fix out of range indexing in name_size

commit 6e9722e9a7bfe1bbad649937c811076acf86e1fd upstream.

'name_size' does not have any range checks, and it just directly indexes
with TPM_ALG_ID, which could lead into memory corruption at worst.

Address the issue by only processing known values and returning -EINVAL for
unrecognized values.

Make also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so
that errors are detected before causing any spurious TPM traffic.

End also the authorization session on failure in both of the functions, as
the session state would be then by definition corrupted.

Cc: stable@vger.kernel.org # v6.10+
Fixes: 1085b8276bb4 ("tpm: Add the rest of the session HMAC API")
Reviewed-by: Jonathan McDowell <noodles@meta.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/char/tpm/tpm2-cmd.c		diff \| blob \| blame \| history
drivers/char/tpm/tpm2-sessions.c		diff \| blob \| blame \| history
include/linux/tpm.h		diff \| blob \| blame \| history
security/keys/trusted-keys/trusted_tpm2.c		diff \| blob \| blame \| history