When the TIS, SPAPR, or CRB frontends negotiate a buffer size with the
TPM backend, then the tpm_emulator (swtpm) could still adjust this size
of the buffer to within bounds supported by swtpm+libtpms if the chosen
size was outside the acceptable range. This could theoretically lead to
the TPM 2 using a bigger buffer than what was requested and memory
allocated for. In practice this would not happend since the requested size
of 4096 bytes for TIS and SPAPR and 3968 bytes for CRB happen in the
(currently) supported range of ~2.5kb to 4096 bytes. With PQC support
the range will have an upper bound of 8kb and a lower bound that will
support the (pre-PQC) CRB with 3968 bytes.
Fixes: 9375c44fdfc0 ("tpm: tpm_emulator: get and set buffer size of device")
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260511142219.797048-2-stefanb@linux.ibm.com
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
{
TPMEmulator *tpm_emu = TPM_EMULATOR(tb);
ptm_setbuffersize psbs;
+ size_t tpm_buffersize;
if (tpm_emulator_stop_tpm(tb, errp) < 0) {
return -1;
return -1;
}
+ tpm_buffersize = be32_to_cpu(psbs.u.resp.buffersize);
+ /* Reject different buffer size used by the TPM than what was requested. */
+ if (wanted_size != 0 && wanted_size != tpm_buffersize) {
+ error_setg(errp,
+ "tpm-emulator: TPM did not accept the requested buffer size "
+ "of %zu bytes but adjusted it to %zu bytes",
+ wanted_size, tpm_buffersize);
+ return -1;
+ }
+
if (actual_size) {
- *actual_size = be32_to_cpu(psbs.u.resp.buffersize);
+ *actual_size = tpm_buffersize;
}
trace_tpm_emulator_set_buffer_size(
projects / thirdparty / qemu.git / commitdiff
