On Thu, Aug 24, 2017 at 10:35:44AM +0200, Alexander Steffen wrote: > tpm_common_write() in tpm-dev-common.c discards the information how much > data has actually been written to the buffer. Instead, all other code has > to rely on the commandSize field in the TPM command header to figure out > how many valid bytes are supposed to be in the buffer. > > But there is nothing that enforces the value in the header to match the > actual buffer contents. So by claiming a larger size in the header than > has been written, stale buffer contents are sent to the TPM. With this > commit, this problem is detected and rejected accordingly. > > This should have been fixed with CVE-2011-1161 long ago, but apparently > a correct version of that patch never made it into the kernel. > > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Alexander Steffen <Alexander.Steffen@xxxxxxxxxxxx> > --- > drivers/char/tpm/tpm-dev-common.c | 2 +- > drivers/char/tpm/tpm-interface.c | 9 ++++++--- > drivers/char/tpm/tpm.h | 3 ++- > 3 files changed, 9 insertions(+), 5 deletions(-) > > diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c > index 610638a..c39b581 100644 > --- a/drivers/char/tpm/tpm-dev-common.c > +++ b/drivers/char/tpm/tpm-dev-common.c > @@ -119,7 +119,7 @@ ssize_t tpm_common_write(struct file *file, const char __user *buf, > return -EPIPE; > } > out_size = tpm_transmit(priv->chip, space, priv->data_buffer, > - sizeof(priv->data_buffer), 0); > + sizeof(priv->data_buffer), in_size, 0); Why you couldn't just unsigned int bufsiz; /* ... */ bufsiz = sizeof(priv->data_buffer); if (in_size < bufsiz) bufsiz = in_size; out_size = tpm_transmit(priv->chip, space, priv->data_buffer, bufsiz, 0); /Jarkko