| From a0bcce2b2a169e10eb265c8f0ebdd5ae4c875670 Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Wed, 8 Sep 2021 08:33:57 +0300 |
| Subject: tpm: Check for integer overflow in tpm2_map_response_body() |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| commit a0bcce2b2a169e10eb265c8f0ebdd5ae4c875670 upstream. |
| |
| The "4 * be32_to_cpu(data->count)" multiplication can potentially |
| overflow which would lead to memory corruption. Add a check for that. |
| |
| Cc: stable@vger.kernel.org |
| Fixes: 745b361e989a ("tpm: infrastructure for TPM spaces") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> |
| Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/char/tpm/tpm2-space.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/drivers/char/tpm/tpm2-space.c |
| +++ b/drivers/char/tpm/tpm2-space.c |
| @@ -455,6 +455,9 @@ static int tpm2_map_response_body(struct |
| if (be32_to_cpu(data->capability) != TPM2_CAP_HANDLES) |
| return 0; |
| |
| + if (be32_to_cpu(data->count) > (UINT_MAX - TPM_HEADER_SIZE - 9) / 4) |
| + return -EFAULT; |
| + |
| if (len != TPM_HEADER_SIZE + 9 + 4 * be32_to_cpu(data->count)) |
| return -EFAULT; |
| |