On Thu, Jan 13, 2022 at 03:54:38PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
>
> extract_key_parameters() can read past the end of the input buffer due
> to buggy and missing bounds checks. Fix it as follows:
>
> - Before reading each key length field, verify that there are at least 4
> bytes remaining.
Maybe start with a "Key length is described as an unsigned 32-bit integer
in the TPM header". Just for clarity.
>
> - Avoid integer overflows when validating size fields; 'sz + 12' and
> '4 + sz' overflowed if 'sz' is near U32_MAX.
So we have a struct tpm_header in include/linux/tpm.h. It would be way
more informative to use sizeof(struct tpm_header) than number 12, even
if the patch does not otherwise use the struct. It tells what it is, 12
does not.
> - Before saving the pointer to the public key, check that it doesn't run
> past the end of the buffer.
>
> Fixes: f8c54e1ac4b8 ("KEYS: asym_tpm: extract key size & public key [ver #2]")
> Cc: <stable@xxxxxxxxxxxxxxx> # v4.20+
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
BR, Jarkko
