From patchwork Fri Oct 21 00:21:29 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Josh Zimmerman <joshz@google.com>
X-Patchwork-Id: 691163
Return-Path: <tpmdd-devel-bounces@lists.sourceforge.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.sourceforge.net (lists.sourceforge.net [216.34.181.88])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3t9Fmp0KYnz9vFL
	for <incoming@patchwork.ozlabs.org>;
	Fri,  4 Nov 2016 19:46:17 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=sfs-ml-2.v29.ch3.sourceforge.com)
	by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <tpmdd-devel-bounces@lists.sourceforge.net>)
	id 1c2a8c-0000av-C7; Fri, 04 Nov 2016 08:46:14 +0000
Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
	helo=mx.sourceforge.net)
	by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <joshz@google.com>) id 1bxNac-00010Z-MV
	for tpmdd-devel@lists.sourceforge.net; Fri, 21 Oct 2016 00:21:38 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of google.com
	designates 209.85.192.170 as permitted sender)
	client-ip=209.85.192.170; envelope-from=joshz@google.com;
	helo=mail-pf0-f170.google.com;
Received: from mail-pf0-f170.google.com ([209.85.192.170])
	by sog-mx-1.v43.ch3.sourceforge.com with esmtps
	(TLSv1:AES128-SHA:128) (Exim 4.76) id 1bxNab-0003jX-S2
	for tpmdd-devel@lists.sourceforge.net; Fri, 21 Oct 2016 00:21:38 +0000
Received: by mail-pf0-f170.google.com with SMTP id e6so45665970pfk.3
	for <tpmdd-devel@lists.sourceforge.net>;
	Thu, 20 Oct 2016 17:21:37 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:date:from:to:subject:message-id:mime-version
	:content-disposition:user-agent;
	bh=iYvZbCU0zHlj9qSHKlvV/t5o29ttZMw0mp6gPksUf50=;
	b=Imum9pQv2I/4Z9zyulKwcluYFKZXTcydgFM9rpFPCcFuIX4UaWgenbfnLFpUlC99FT
	cn1T05Ugm3TzHhM989TP8XYpzcBScbc+R9EmahSvaMhJyGWTYvSoYLYfzPYkc48L2Bqe
	R05Gi3dk80gAVLPVROAHGxbjrw4D1R8EwMJ9ne7jgCZ1uFGnpEpenwze1QTWFyFNwSS/
	9R9/yzQvXTp11u0YGFT2OjKMvDPqzrqR7OAx+h7uIS4u06S58zswuAZwL1ypT1tJ0yee
	NG+4spQZajO7kdgkmu1CMqGBmbM313vS2eQRDqyFveRJhz0pqoqICWYX1vUaENfNuWt6
	0T7A==
X-Gm-Message-State: 
 AA6/9Rk9/vzr5qskLqWwMw3edrlcscfoWcnMQ67hbNGNDN0cfCu8a2irM928xJEFPrJoNBZR
X-Received: by 10.99.102.69 with SMTP id a66mr4899801pgc.71.1477009291919;
	Thu, 20 Oct 2016 17:21:31 -0700 (PDT)
Received: from google.com ([2620:0:1008:13:f43e:c92e:2275:e180])
	by smtp.gmail.com with ESMTPSA id
	a23sm74244757pfc.59.2016.10.20.17.21.31
	(version=TLS1_2 cipher=AES128-SHA bits=128/128);
	Thu, 20 Oct 2016 17:21:31 -0700 (PDT)
Date: Thu, 20 Oct 2016 17:21:29 -0700
From: Josh Zimmerman <joshz@google.com>
To: Peter Huewe <peterhuewe@gmx.de>, Marcel Selhorst <tpmdd@selhorst.net>,
	Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
	Jason Gunthorpe <jgunthorpe@obsidianresearch.com>,
	tpmdd-devel@lists.sourceforge.net
Message-ID: <20161021002129.GA9464@google.com>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Spam-Score: -1.9 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	-0.0 SPF_PASS               SPF: sender matches SPF record
	-0.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay
	domain
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1bxNab-0003jX-S2
X-Mailman-Approved-At: Fri, 04 Nov 2016 08:46:12 +0000
Subject: [tpmdd-devel] [PATCH] Check for error return values from
	get_burstcount.
X-BeenThere: tpmdd-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Tpm Device Driver maintainance <tpmdd-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/tpmdd-devel>,
	<mailto:tpmdd-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=tpmdd-devel>
List-Post: <mailto:tpmdd-devel@lists.sourceforge.net>
List-Help: <mailto:tpmdd-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/tpmdd-devel>,
	<mailto:tpmdd-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: tpmdd-devel-bounces@lists.sourceforge.net

If the TPM we're connecting to uses a static burst count, it will report
a burst count of zero throughout the response read. However, get_burstcount
assumes that a response of zero indicates that the TPM is not ready to
receive more data. In this case, it returns a negative error code, which
is passed on to tpm_tis_{write,read}_bytes as a u16, causing
them to read/write far too many bytes.

This patch checks for negative return codes and bails out from recv_data
and tpm_tis_send_data.
---
 drivers/char/tpm/tpm_tis_core.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
index e3bf31b..d0301dc 100644
--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -186,6 +186,12 @@ static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count)
 				 chip->timeout_c,
 				 &priv->read_queue, true) == 0) {
 		burstcnt = min_t(int, get_burstcount(chip), count - size);
+		if (burstcnt < 0) {
+			dev_err(&chip->dev,
+				"Unable to read burstcount in %s:%d (%s)\n",
+				__FILE__, __LINE__, __func__);
+			return rc;
+		}
 
 		rc = tpm_tis_read_bytes(priv, TPM_DATA_FIFO(priv->locality),
 					burstcnt, buf + size);
@@ -272,6 +278,13 @@ static int tpm_tis_send_data(struct tpm_chip *chip, u8 *buf, size_t len)
 
 	while (count < len - 1) {
 		burstcnt = min_t(int, get_burstcount(chip), len - count - 1);
+		if (burstcnt < 0) {
+			dev_err(&chip->dev,
+				"Unable to read burstcount in %s:%d (%s)\n",
+				__FILE__, __LINE__, __func__);
+			rc = burstcnt;
+			goto out_err;
+		}
 		rc = tpm_tis_write_bytes(priv, TPM_DATA_FIFO(priv->locality),
 					 burstcnt, buf + count);
 		if (rc < 0)