On Mon, Sep 04, 2017 at 07:36:42PM +0200, Alexander Steffen wrote: > tpm_transmit() does not offer an explicit interface to indicate the number > of valid bytes in the communication buffer. Instead, it relies on the > commandSize field in the TPM header that is encoded within the buffer. > Therefore, ensure that a) enough data has been written to the buffer, so > that the commandSize field is present and b) the commandSize field does not > announce more data than has been written to the buffer. > > This should have been fixed with CVE-2011-1161 long ago, but apparently > a correct version of that patch never made it into the kernel. > > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Alexander Steffen <Alexander.Steffen@xxxxxxxxxxxx> > --- > v2: > - Moved all changes to tpm_common_write in a single patch. > > drivers/char/tpm/tpm-dev-common.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c > index 610638a..ac25574 100644 > --- a/drivers/char/tpm/tpm-dev-common.c > +++ b/drivers/char/tpm/tpm-dev-common.c > @@ -99,7 +99,8 @@ ssize_t tpm_common_write(struct file *file, const char __user *buf, > if (atomic_read(&priv->data_pending) != 0) > return -EBUSY; > > - if (in_size > TPM_BUFSIZE) > + if (in_size > sizeof(priv->data_buffer) || in_size < 6 || > + in_size < be32_to_cpu(*((__be32 *) (buf + 2)))) > return -E2BIG; > > mutex_lock(&priv->buffer_mutex); > -- > 2.7.4 > Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx> There's now some delay getting patches to my git tree because next week is conference week and I have lots of stuff to do before I depart Finland. I'm sorry about that. At latest I push these during the plane trip (I can remotely access test machines with plane internet connection, not the first time I'm doing this). /Jarkko