STMicro TPM: Fix potential buffer overruns
authorJeremy Boone <jeremy.boone@nccgroup.trust>
Mon, 12 Feb 2018 22:56:35 +0000 (17:56 -0500)
committerTom Rini <trini@konsulko.com>
Mon, 5 Mar 2018 15:05:36 +0000 (10:05 -0500)
This patch prevents integer underflow when the length was too small,
which could lead to memory corruption.

Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
drivers/tpm/tpm_tis_st33zp24_i2c.c
drivers/tpm/tpm_tis_st33zp24_spi.c

index c8d01254d2236ab1d4f8e277f6376c11714cb85b..245218fc075b95e95b230f3d9acab8f4b0670f01 100644 (file)
@@ -303,7 +303,8 @@ static int st33zp24_i2c_recv_data(struct udevice *dev, u8 *buf, size_t count)
 static int st33zp24_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
 {
        struct tpm_chip *chip = dev_get_priv(dev);
-       int size, expected;
+       int size;
+       unsigned int expected;
 
        if (!chip)
                return -ENODEV;
@@ -320,7 +321,7 @@ static int st33zp24_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
        }
 
        expected = get_unaligned_be32(buf + 2);
-       if (expected > count) {
+       if (expected > count || expected < TPM_HEADER_SIZE) {
                size = -EIO;
                goto out;
        }
index dcf55ee03af8dedb05cefff24344bbe6a5ac0b79..c4c5e0528631d14e5fd4e3074c9376be3b6e1480 100644 (file)
@@ -431,7 +431,8 @@ static int st33zp24_spi_recv_data(struct udevice *dev, u8 *buf, size_t count)
 static int st33zp24_spi_recv(struct udevice *dev, u8 *buf, size_t count)
 {
        struct tpm_chip *chip = dev_get_priv(dev);
-       int size, expected;
+       int size;
+       unsigned int expected;
 
        if (!chip)
                return -ENODEV;
@@ -448,7 +449,7 @@ static int st33zp24_spi_recv(struct udevice *dev, u8 *buf, size_t count)
        }
 
        expected = get_unaligned_be32(buf + 2);
-       if (expected > count) {
+       if (expected > count || expected < TPM_HEADER_SIZE) {
                size = -EIO;
                goto out;
        }