From patchwork Tue Nov 22 12:40:07 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Fabio Urquiza <flus@cesar.org.br>
X-Patchwork-Id: 697700
Return-Path: <tpmdd-devel-bounces@lists.sourceforge.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.sourceforge.net (lists.sourceforge.net [216.34.181.88])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3tNQb81yLsz9snk
	for <incoming@patchwork.ozlabs.org>;
	Wed, 23 Nov 2016 00:01:40 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=sfs-ml-4.v29.ch3.sourceforge.com)
	by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <tpmdd-devel-bounces@lists.sourceforge.net>)
	id 1c9Aha-00009C-ER; Tue, 22 Nov 2016 13:01:34 +0000
Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194]
	helo=mx.sourceforge.net)
	by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <flus@cesar.org.br>) id 1c9AhZ-000097-5c
	for tpmdd-devel@lists.sourceforge.net; Tue, 22 Nov 2016 13:01:33 +0000
Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of cesar.org.br
	designates 209.85.220.178 as permitted sender)
	client-ip=209.85.220.178; envelope-from=flus@cesar.org.br;
	helo=mail-qk0-f178.google.com;
Received: from mail-qk0-f178.google.com ([209.85.220.178])
	by sog-mx-4.v43.ch3.sourceforge.com with esmtps
	(TLSv1:AES128-SHA:128) (Exim 4.76) id 1c9AhT-00050W-HH
	for tpmdd-devel@lists.sourceforge.net; Tue, 22 Nov 2016 13:01:33 +0000
Received: by mail-qk0-f178.google.com with SMTP id x190so22331396qkb.0
	for <tpmdd-devel@lists.sourceforge.net>;
	Tue, 22 Nov 2016 05:01:27 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=bltEYSpNtkVIrq7ifHGM8YY4hdzEbAAutULhy5+Gpr0=;
	b=G6owJqMTtDrPBOC9RO3Z46p0KCvQfBViSGDC9sHWTH4vNRX4MWDbtW3tqGj0SFZNnh
	IVlRhTeepr73hac5RpR09QqAW1s/6u0/T/36A7cBLr0RC17YRltsCugtSxDiPOa42j5g
	Z14QKN9EN+cSRX9v7pKcyqh8l/pV64NFzuFSPU0nhulW/vw88oeh7fen//+Onm7WqSlb
	fPGcRj7qCEVkzvtkhUDeB9AIp+McpP0WLyAsxUoMcY4RMSc+sI/olhh80+8k4gKK2dR8
	G0jQVEPia59OO6nVMJ7+dZXMTQgrYGyIlL4vtTvqMN0LrJdrOgunXSko9wm8GfRMJw4g
	2GnQ==
X-Gm-Message-State: 
 AKaTC00fuHHEURvbvDeyI17EzYQ1YLmUrJUZVdKpkFPTtLKv+KC/OhLnbEUSse6C8kJgY7zz
X-Received: by 10.55.155.7 with SMTP id d7mr24665186qke.81.1479818431443;
	Tue, 22 Nov 2016 04:40:31 -0800 (PST)
Received: from ubuntu.rce.tvgvt ([177.133.125.149])
	by smtp.gmail.com with ESMTPSA id
	b94sm13610904qkb.16.2016.11.22.04.40.29
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 22 Nov 2016 04:40:31 -0800 (PST)
From: Fabio Urquiza <flus@cesar.org.br>
To: tpmdd-devel@lists.sourceforge.net
Date: Tue, 22 Nov 2016 09:40:07 -0300
Message-Id: <20161122124007.16487-1-flus@cesar.org.br>
X-Mailer: git-send-email 2.9.3
X-Spam-Score: -1.0 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/,
	no trust [209.85.220.178 listed in list.dnswl.org]
	0.5 RCVD_IN_SORBS_SPAM     RBL: SORBS: sender is a spam source
	[209.85.220.178 listed in dnsbl.sorbs.net]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1c9AhT-00050W-HH
Subject: [tpmdd-devel] [PATCH] tpm_i2c_atmel: fix i2c_atmel_recv() when
	response is greater than 35 bytes
X-BeenThere: tpmdd-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Tpm Device Driver maintainance <tpmdd-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/tpmdd-devel>,
	<mailto:tpmdd-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=tpmdd-devel>
List-Post: <mailto:tpmdd-devel@lists.sourceforge.net>
List-Help: <mailto:tpmdd-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/tpmdd-devel>,
	<mailto:tpmdd-devel-request@lists.sourceforge.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: tpmdd-devel-bounces@lists.sourceforge.net

If the variable expected_len is greater than 35 bytes, i2c_atmel_recv()
ignores the amount of data already read in i2c_atmel_read_status() and
request more data than what the device is ready to supply. As result the
TPM data sent to the upper layers will miss the first 35 bytes of the
response and will be filled with garbage in the end.

TCSP_GetRandom_Internal before fix:

tpm_i2c_atmel 0-0020: i2c_atmel_send(buf=00 c1 00 00 00 0e 00 00 00 46 00 00 00 20 len=e) -> sts=14
tpm_i2c_atmel 0-0020: i2c_atmel_read_status: sts=-6
tpm_i2c_atmel 0-0020: i2c_atmel_read_status: sts=35
tpm_i2c_atmel 0-0020: i2c_atmel_recv reread(buf=3b ec a5 17 37 27 2a fb a0 cc ce ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff count=1000) -> ret=46

TCSP_GetRandom_Internal after fix:

tpm_i2c_atmel 0-0020: i2c_atmel_send(buf=00 c1 00 00 00 0e 00 00 00 46 00 00 00 20 len=e) -> sts=14
tpm_i2c_atmel 0-0020: i2c_atmel_read_status: sts=-6
tpm_i2c_atmel 0-0020: i2c_atmel_read_status: sts=35
tpm_i2c_atmel 0-0020: i2c_atmel_recv reread(buf=00 c4 00 00 00 2e 00 00 00 00 00 00 00 20 63 dc 83 a1 55 e6 b4 5d 5a 10 70 63 28 5c 5b a8 87 ca 57 fd 45 c3 a0 62 1b c2 1d b3 d2 0d 8f 19 count=1000) -> ret=46

Signed-off-by: Fabio Urquiza <flus@cesar.org.br>
---
 drivers/char/tpm/tpm_i2c_atmel.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/char/tpm/tpm_i2c_atmel.c b/drivers/char/tpm/tpm_i2c_atmel.c
index 95ce2e9..a02f5a7 100644
--- a/drivers/char/tpm/tpm_i2c_atmel.c
+++ b/drivers/char/tpm/tpm_i2c_atmel.c
@@ -75,9 +75,9 @@ static int i2c_atmel_recv(struct tpm_chip *chip, u8 *buf, size_t count)
 	struct tpm_output_header *hdr =
 		(struct tpm_output_header *)priv->buffer;
 	u32 expected_len;
-	int rc;
+	int rc = priv->len;
 
-	if (priv->len == 0)
+	if (rc == 0)
 		return -EIO;
 
 	/* Get the message size from the message header, if we didn't get the
@@ -87,7 +87,7 @@ static int i2c_atmel_recv(struct tpm_chip *chip, u8 *buf, size_t count)
 	if (expected_len > count)
 		return -ENOMEM;
 
-	if (priv->len >= expected_len) {
+	if (rc >= expected_len) {
 		dev_dbg(&chip->dev,
 			"%s early(buf=%*ph count=%0zx) -> ret=%d\n", __func__,
 			(int)min_t(size_t, 64, expected_len), buf, count,
@@ -96,7 +96,8 @@ static int i2c_atmel_recv(struct tpm_chip *chip, u8 *buf, size_t count)
 		return expected_len;
 	}
 
-	rc = i2c_master_recv(client, buf, expected_len);
+	memcpy(buf, priv->buffer, rc);
+	rc += i2c_master_recv(client, buf + rc, expected_len - rc);
 	dev_dbg(&chip->dev,
 		"%s reread(buf=%*ph count=%0zx) -> ret=%d\n", __func__,
 		(int)min_t(size_t, 64, expected_len), buf, count,