From: Greg Kroah-Hartman Date: Thu, 8 Jan 2026 10:15:40 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v6.1.160~59 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1eeec9e8d3a71785ebcf449ea58b1d8d90f9fea0;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: tpm-cap-the-number-of-pcr-banks.patch --- diff --git a/queue-6.6/series b/queue-6.6/series index 3f6fccd26a..f5a3a60912 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -625,3 +625,4 @@ drm-i915-gem-zero-initialize-the-eb.vma-array-in-i915_gem_do_execbuffer.patch drm-nouveau-dispnv50-don-t-call-drm_atomic_get_crtc_state-in-prepare_fb.patch usb-gadget-lpc32xx_udc-fix-clock-imbalance-in-error-path.patch blk-mq-add-helper-for-checking-if-one-cpu-is-mapped-to-specified-hctx.patch +tpm-cap-the-number-of-pcr-banks.patch diff --git a/queue-6.6/tpm-cap-the-number-of-pcr-banks.patch b/queue-6.6/tpm-cap-the-number-of-pcr-banks.patch new file mode 100644 index 0000000000..4962e517bc --- /dev/null +++ b/queue-6.6/tpm-cap-the-number-of-pcr-banks.patch @@ -0,0 +1,99 @@ +From faf07e611dfa464b201223a7253e9dc5ee0f3c9e Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Tue, 30 Sep 2025 15:58:02 +0300 +Subject: tpm: Cap the number of PCR banks + +From: Jarkko Sakkinen + +commit faf07e611dfa464b201223a7253e9dc5ee0f3c9e upstream. + +tpm2_get_pcr_allocation() does not cap any upper limit for the number of +banks. Cap the limit to eight banks so that out of bounds values coming +from external I/O cause on only limited harm. + +Cc: stable@vger.kernel.org # v5.10+ +Fixes: bcfff8384f6c ("tpm: dynamically allocate the allocated_banks array") +Tested-by: Lai Yi +Reviewed-by: Jonathan McDowell +Reviewed-by: Roberto Sassu +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm-chip.c | 1 - + drivers/char/tpm/tpm1-cmd.c | 5 ----- + drivers/char/tpm/tpm2-cmd.c | 8 +++----- + include/linux/tpm.h | 8 +++++--- + 4 files changed, 8 insertions(+), 14 deletions(-) + +--- a/drivers/char/tpm/tpm-chip.c ++++ b/drivers/char/tpm/tpm-chip.c +@@ -279,7 +279,6 @@ static void tpm_dev_release(struct devic + + kfree(chip->work_space.context_buf); + kfree(chip->work_space.session_buf); +- kfree(chip->allocated_banks); + kfree(chip); + } + +--- a/drivers/char/tpm/tpm1-cmd.c ++++ b/drivers/char/tpm/tpm1-cmd.c +@@ -799,11 +799,6 @@ int tpm1_pm_suspend(struct tpm_chip *chi + */ + int tpm1_get_pcr_allocation(struct tpm_chip *chip) + { +- chip->allocated_banks = kcalloc(1, sizeof(*chip->allocated_banks), +- GFP_KERNEL); +- if (!chip->allocated_banks) +- return -ENOMEM; +- + chip->allocated_banks[0].alg_id = TPM_ALG_SHA1; + chip->allocated_banks[0].digest_size = hash_digest_size[HASH_ALGO_SHA1]; + chip->allocated_banks[0].crypto_id = HASH_ALGO_SHA1; +--- a/drivers/char/tpm/tpm2-cmd.c ++++ b/drivers/char/tpm/tpm2-cmd.c +@@ -574,11 +574,9 @@ ssize_t tpm2_get_pcr_allocation(struct t + + nr_possible_banks = be32_to_cpup( + (__be32 *)&buf.data[TPM_HEADER_SIZE + 5]); +- +- chip->allocated_banks = kcalloc(nr_possible_banks, +- sizeof(*chip->allocated_banks), +- GFP_KERNEL); +- if (!chip->allocated_banks) { ++ if (nr_possible_banks > TPM2_MAX_PCR_BANKS) { ++ pr_err("tpm: out of bank capacity: %u > %u\n", ++ nr_possible_banks, TPM2_MAX_PCR_BANKS); + rc = -ENOMEM; + goto out; + } +--- a/include/linux/tpm.h ++++ b/include/linux/tpm.h +@@ -25,7 +25,9 @@ + #include + + #define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */ +-#define TPM_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE ++ ++#define TPM2_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE ++#define TPM2_MAX_PCR_BANKS 8 + + struct tpm_chip; + struct trusted_key_payload; +@@ -51,7 +53,7 @@ enum tpm_algorithms { + + struct tpm_digest { + u16 alg_id; +- u8 digest[TPM_MAX_DIGEST_SIZE]; ++ u8 digest[TPM2_MAX_DIGEST_SIZE]; + } __packed; + + struct tpm_bank_info { +@@ -157,7 +159,7 @@ struct tpm_chip { + unsigned int groups_cnt; + + u32 nr_allocated_banks; +- struct tpm_bank_info *allocated_banks; ++ struct tpm_bank_info allocated_banks[TPM2_MAX_PCR_BANKS]; + #ifdef CONFIG_ACPI + acpi_handle acpi_dev_handle; + char ppi_version[TPM_PPI_VERSION_LEN + 1];