releases/4.15.8/tpm-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 3be23274755ee85771270a23af7691dc9b3a95db Mon Sep 17 00:00:00 2001
 From: Jeremy Boone <jeremy.boone@nccgroup.trust>
 Date: Thu, 8 Feb 2018 12:28:08 -0800
 Subject: tpm: fix potential buffer overruns caused by bit glitches on the bus

 From: Jeremy Boone <jeremy.boone@nccgroup.trust>

 commit 3be23274755ee85771270a23af7691dc9b3a95db upstream.

 Discrete TPMs are often connected over slow serial buses which, on
 some platforms, can have glitches causing bit flips.  If a bit does
 flip it could cause an overrun if it's in one of the size parameters,
 so sanity check that we're not overrunning the provided buffer when
 doing a memcpy().

 Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
 Cc: stable@vger.kernel.org
 Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
 Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
 Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
 Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
 Signed-off-by: James Morris <james.morris@microsoft.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/char/tpm/tpm-interface.c |    4 ++++
  drivers/char/tpm/tpm2-cmd.c      |    4 ++++
  2 files changed, 8 insertions(+)

 --- a/drivers/char/tpm/tpm-interface.c
 +++ b/drivers/char/tpm/tpm-interface.c
 @@ -1228,6 +1228,10 @@ int tpm_get_random(u32 chip_num, u8 *out
  			break;

  		recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len);
 +		if (recd > num_bytes) {
 +			total = -EFAULT;
 +			break;
 +		}

  		rlength = be32_to_cpu(tpm_cmd.header.out.length);
  		if (rlength < offsetof(struct tpm_getrandom_out, rng_data) +
 --- a/drivers/char/tpm/tpm2-cmd.c
 +++ b/drivers/char/tpm/tpm2-cmd.c
 @@ -683,6 +683,10 @@ static int tpm2_unseal_cmd(struct tpm_ch
  	if (!rc) {
  		data_len = be16_to_cpup(
  			(__be16 *) &buf.data[TPM_HEADER_SIZE + 4]);
 +		if (data_len < MIN_KEY_SIZE ||  data_len > MAX_KEY_SIZE + 1) {
 +			rc = -EFAULT;
 +			goto out;
 +		}

  		rlength = be32_to_cpu(((struct tpm2_cmd *)&buf)
  					->header.out.length);
	From 3be23274755ee85771270a23af7691dc9b3a95db Mon Sep 17 00:00:00 2001
	From: Jeremy Boone <jeremy.boone@nccgroup.trust>
	Date: Thu, 8 Feb 2018 12:28:08 -0800
	Subject: tpm: fix potential buffer overruns caused by bit glitches on the bus

	From: Jeremy Boone <jeremy.boone@nccgroup.trust>

	commit 3be23274755ee85771270a23af7691dc9b3a95db upstream.

	Discrete TPMs are often connected over slow serial buses which, on
	some platforms, can have glitches causing bit flips. If a bit does
	flip it could cause an overrun if it's in one of the size parameters,
	so sanity check that we're not overrunning the provided buffer when
	doing a memcpy().

	Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
	Cc: stable@vger.kernel.org
	Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
	Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
	Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
	Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
	Signed-off-by: James Morris <james.morris@microsoft.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/char/tpm/tpm-interface.c \| 4 ++++
	drivers/char/tpm/tpm2-cmd.c \| 4 ++++
	2 files changed, 8 insertions(+)

	--- a/drivers/char/tpm/tpm-interface.c
	+++ b/drivers/char/tpm/tpm-interface.c
	@@ -1228,6 +1228,10 @@ int tpm_get_random(u32 chip_num, u8 *out
	break;

	recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len);
	+ if (recd > num_bytes) {
	+ total = -EFAULT;
	+ break;
	+ }

	rlength = be32_to_cpu(tpm_cmd.header.out.length);
	if (rlength < offsetof(struct tpm_getrandom_out, rng_data) +
	--- a/drivers/char/tpm/tpm2-cmd.c
	+++ b/drivers/char/tpm/tpm2-cmd.c
	@@ -683,6 +683,10 @@ static int tpm2_unseal_cmd(struct tpm_ch
	if (!rc) {
	data_len = be16_to_cpup(
	(__be16 *) &buf.data[TPM_HEADER_SIZE + 4]);
	+ if (data_len < MIN_KEY_SIZE \|\| data_len > MAX_KEY_SIZE + 1) {
	+ rc = -EFAULT;
	+ goto out;
	+ }

	rlength = be32_to_cpu(((struct tpm2_cmd *)&buf)
	->header.out.length);