From patchwork Mon Oct 24 15:54:39 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josh Zimmerman X-Patchwork-Id: 685964 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.sourceforge.net (lists.sourceforge.net [216.34.181.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3t2gpQ64sVz9s65 for ; Tue, 25 Oct 2016 02:54:54 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=sfs-ml-1.v29.ch3.sourceforge.com) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1byhaL-0002CP-OD; Mon, 24 Oct 2016 15:54:49 +0000 Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1byhaK-0002CJ-3l for tpmdd-devel@lists.sourceforge.net; Mon, 24 Oct 2016 15:54:48 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of google.com designates 209.85.192.175 as permitted sender) client-ip=209.85.192.175; envelope-from=joshz@google.com; helo=mail-pf0-f175.google.com; Received: from mail-pf0-f175.google.com ([209.85.192.175]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.76) id 1byhaJ-0005f7-8h for tpmdd-devel@lists.sourceforge.net; Mon, 24 Oct 2016 15:54:48 +0000 Received: by mail-pf0-f175.google.com with SMTP id s8so101297461pfj.2 for ; Mon, 24 Oct 2016 08:54:47 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=RgRj/JKAB6DVRs3UDdkPV/N2HSTiKlKuiG4cQ6sVupw=; b=PQN2MdW76F1/KXoSGKS3SsTKtXPvhlbuCsRSA5kqH6A0sjAQlP1W4Pe7dmKuRsL7f9 hVKobhb+n91t4s+dqZnWB5s3cUlbUo6XH3svjQZ1Rk2ubeEkMxoU7dpkfh0odrDP9V6s HG9oRa22990O7uHahep9Iphd3MfTBtYLTWMsbshB4aYwTk3jl5OkNn/moRg33QkAy4ss QNYkBkmQh7wukJJsvE0YhLPuJWAcQqVRUp1M22SFX2OFpnQsg+Bv8TcTO++5ja7TEkPO NjQmPSsOyY+Wo5VwhwtpHchwXgwiKA6G9qiRb43Qx3MEAizq9qs7S2Xa2Jt8cjyAQ/Od VT6w== X-Gm-Message-State: ABUngvfcmd8/1M9JUk+5NeRCY3Dd3A6pibhxSwHDqEu8B1G5+S/lZKdzkCBbx0BFG05RfEZ/ X-Received: by 10.99.146.8 with SMTP id o8mr24665479pgd.55.1477324481420; Mon, 24 Oct 2016 08:54:41 -0700 (PDT) Received: from google.com ([2620:0:1008:13:602c:a077:54b:374d]) by smtp.gmail.com with ESMTPSA id z6sm26517371pay.31.2016.10.24.08.54.40 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Mon, 24 Oct 2016 08:54:40 -0700 (PDT) Date: Mon, 24 Oct 2016 08:54:39 -0700 From: Josh Zimmerman To: Peter Huewe , Marcel Selhorst , Jarkko Sakkinen , Jason Gunthorpe , tpmdd-devel@lists.sourceforge.net Message-ID: <20161024155439.GA27123@google.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Score: -2.2 (--) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.5 RCVD_IN_SORBS_SPAM RBL: SORBS: sender is a spam source [209.85.192.175 listed in dnsbl.sorbs.net] -0.0 SPF_PASS SPF: sender matches SPF record -1.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.3 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1byhaJ-0005f7-8h Cc: stable@vger.kernel.org Subject: [tpmdd-devel] [PATCH v2] tpm_tis: Check return values from get_burstcount. X-BeenThere: tpmdd-devel@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Tpm Device Driver maintainance List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tpmdd-devel-bounces@lists.sourceforge.net If the TPM we're connecting to uses a static burst count, it will report a burst count of zero throughout the response read. However, get_burstcount assumes that a response of zero indicates that the TPM is not ready to receive more data. In this case, it returns a negative error code, which is passed on to tpm_tis_{write,read}_bytes as a u16, causing them to read/write far too many bytes. This patch checks for negative return codes and bails out from recv_data and tpm_tis_send_data. Fixes: 1107d065fdf1 --- drivers/char/tpm/tpm_tis_core.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c index e3bf31b..aed92b3 100644 --- a/drivers/char/tpm/tpm_tis_core.c +++ b/drivers/char/tpm/tpm_tis_core.c @@ -186,6 +186,12 @@ static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count) chip->timeout_c, &priv->read_queue, true) == 0) { burstcnt = min_t(int, get_burstcount(chip), count - size); + if (burstcnt < 0) { + dev_err(&chip->dev, + "Unable to read burstcount in %s:%d (%s)\n", + __FILE__, __LINE__, __func__); + return burstcnt; + } rc = tpm_tis_read_bytes(priv, TPM_DATA_FIFO(priv->locality), burstcnt, buf + size); @@ -272,6 +278,13 @@ static int tpm_tis_send_data(struct tpm_chip *chip, u8 *buf, size_t len) while (count < len - 1) { burstcnt = min_t(int, get_burstcount(chip), len - count - 1); + if (burstcnt < 0) { + dev_err(&chip->dev, + "Unable to read burstcount in %s:%d (%s)\n", + __FILE__, __LINE__, __func__); + rc = burstcnt; + goto out_err; + } rc = tpm_tis_write_bytes(priv, TPM_DATA_FIFO(priv->locality), burstcnt, buf + count); if (rc < 0)