On Wed, Feb 28, 2018 at 04:41:07PM -0800, Eduardo Valentin wrote:
> Greg, Folks,
>
> On Tue, Nov 21, 2017 at 05:52:57PM +0100, gregkh@xxxxxxxxxxxxxxxxxxx wrote:
> >
> > The patch below does not apply to the 4.9-stable tree.
> > If someone wants it applied there, or to any other stable or longterm
> > tree, then please email the backport, including the original git commit
> > id to <stable@xxxxxxxxxxxxxxx>.
>
>
> I noticed that this patch is in other stable branches, but not for 4.9.y.
> The patch did not apply cleanly because the file name has changed. So,
> I did the backport by simply applying on the filename current on 4.9.y.
Looks correct to me.
/Jarkko
>
> Patch will look like this:
>
> ----
>
> From f16fa6209d65358ce26e159c5966d8a35e6ec602 Mon Sep 17 00:00:00 2001
> From: Alexander Steffen <Alexander.Steffen@xxxxxxxxxxxx>
> Date: Fri, 8 Sep 2017 17:21:32 +0200
> Subject: [PATCH 1/1] tpm-dev-common: Reject too short writes
>
> tpm_transmit() does not offer an explicit interface to indicate the number
> of valid bytes in the communication buffer. Instead, it relies on the
> commandSize field in the TPM header that is encoded within the buffer.
> Therefore, ensure that a) enough data has been written to the buffer, so
> that the commandSize field is present and b) the commandSize field does not
> announce more data than has been written to the buffer.
>
> This should have been fixed with CVE-2011-1161 long ago, but apparently
> a correct version of that patch never made it into the kernel.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Alexander Steffen <Alexander.Steffen@xxxxxxxxxxxx>
> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>
> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>
> (cherry picked from commit ee70bc1e7b63ac8023c9ff9475d8741e397316e7)
> Signed-off-by: Eduardo Valentin <eduval@xxxxxxxxxx>
> ---
> drivers/char/tpm/tpm-dev.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/char/tpm/tpm-dev.c b/drivers/char/tpm/tpm-dev.c
> index 912ad30..65b8249 100644
> --- a/drivers/char/tpm/tpm-dev.c
> +++ b/drivers/char/tpm/tpm-dev.c
> @@ -136,6 +136,12 @@ static ssize_t tpm_write(struct file *file, const char __user *buf,
> return -EFAULT;
> }
>
> + if (in_size < 6 ||
> + in_size < be32_to_cpu(*((__be32 *) (priv->data_buffer + 2)))) {
> + mutex_unlock(&priv->buffer_mutex);
> + return -EINVAL;
> + }
> +
> /* atomic tpm command send and result receive. We only hold the ops
> * lock during this period so that the tpm can be unregistered even if
> * the char dev is held open.
> --
> 2.7.4
>