On Tue, 2018-10-30 at 16:47 +0100, Roberto Sassu wrote:
> This patch ensures that the digest size returned by the TPM during a PCR
> read matches the size of the algorithm passed as argument to
> tpm2_pcr_read(). The check is performed after information about the PCR
> banks has been retrieved.
>
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> ---
> drivers/char/tpm/tpm2-cmd.c | 16 +++++++++++++++-
> 1 file changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index 8e821e7b4674..477dcc30fc53 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -187,15 +187,28 @@ struct tpm2_pcr_read_out {
> int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx,
> struct tpm_digest *digest_struct, u16 *digest_size_ptr)
> {
> + int i;
> int rc;
> struct tpm_buf buf;
> struct tpm2_pcr_read_out *out;
> u8 pcr_select[TPM2_PCR_SELECT_MIN] = {0};
> u16 digest_size;
> + u16 expected_digest_size = 0;
>
> if (pcr_idx >= TPM2_PLATFORM_PCR)
> return -EINVAL;
>
> + if (!digest_size_ptr) {
> + for (i = 0; i < ARRAY_SIZE(chip->active_banks) &&
> + chip->active_banks[i].alg_id != digest_struct->alg_id; i++)
> + ;
> +
> + if (i == ARRAY_SIZE(chip->active_banks))
> + return -EINVAL;
> +
> + expected_digest_size = chip->active_banks[i].digest_size;
> + }
> +
> rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_PCR_READ);
> if (rc)
> return rc;
> @@ -215,7 +228,8 @@ int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx,
>
> out = (struct tpm2_pcr_read_out *)&buf.data[TPM_HEADER_SIZE];
> digest_size = be16_to_cpu(out->digest_size);
> - if (digest_size > sizeof(digest_struct->digest)) {
> + if ((digest_size_ptr && digest_size > sizeof(digest_struct->digest)) ||
The returned digest size should never be larger than the structure
field. The digest_size_ptr test is unnecessary.
Mimi
> + (!digest_size_ptr && digest_size != expected_digest_size)) {
> rc = -EINVAL;
> goto out;
> }
