Received: by 10.223.185.111 with SMTP id b44csp910935wrg;
        Fri, 9 Mar 2018 16:38:44 -0800 (PST)
X-Google-Smtp-Source: AG47ELuy75Qaq2S5FlBFXxM2N4yTQ6HSIMAuvt3DynVBFi90LEH5A23QtM3xLaMR15B4fjVe5zk6
X-Received: by 2002:a17:902:7608:: with SMTP id k8-v6mr351274pll.95.1520642324250;
        Fri, 09 Mar 2018 16:38:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520642324; cv=none;
        d=google.com; s=arc-20160816;
        b=B1+9scoISo/aL5fmDqIf8S26NevZnjXxP0dJWd8n7Av9zdUGY95AekAdebbAKFMFnP
         HDUpbhep6HwkgvrjP7JjCrlAz4v1v1Fi1E3+X1ACI3l48cbQE7mAi7ORaz2vinTnjONY
         IwoU/ww1L3rIjd1zYNtH1oqrEtGnIu1/aWRSTeTeG67dyKC/QYYHH+13eOiOLjDfAaI9
         MLOdsl6WGucVvUSv0j4pPiVs+wpOaYg4PYYH1cOoVPc/qOsTq7E6WvVgXFPt3tDocLAs
         sHWcxCVHvtfyJd5IvgXGiBo5SAUoEKFAZyovj2845m/HI5Q1mB7v2/Lvb6pnETTYT7aR
         WPKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=oz6sJnKmA/7mGe+CQlh3vcm3l0R8Ir9SMofsE1E13/4=;
        b=QyBYa4JNddfOzKI6Fo6A3E4x989A12JkJGR9Ox0JTgy1tfR74n7HyjvjtnoNPNOy69
         7omLIB2IKs8A9Ag/TT7JetSZdrEeeVtqSemml3vZuj4uZ1E2qpceqxvZXe9xExb2CumR
         Koxd6keZA+FHkSodPI4w0SDRWS+tZSN+d9FNGfqEYMqGSRY44P4S/uDuVkIYGWbPe5HE
         cBjv8tqybcbN9oihqIut5dGyQPtZdFkebyHxBHFwWVm3Pwg1GvSO6cLHk/5uFe+0CTTs
         uTUAIgVdQStqKzzaAvHI/aebzPf1oRsHiZ+ZufpHsgJMqGa1Jv0WGcNlA+ABwAe2vB4y
         VadQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e3si1513261pgv.79.2018.03.09.16.38.29;
        Fri, 09 Mar 2018 16:38:44 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933730AbeCJAVj (ORCPT <rfc822;yxhlfx@gmail.com> + 99 others);
        Fri, 9 Mar 2018 19:21:39 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:39630 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S933713AbeCJAVf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 9 Mar 2018 19:21:35 -0500
Received: from localhost (unknown [185.236.200.248])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id EFB8B1149;
        Sat, 10 Mar 2018 00:21:34 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Alexander Steffen <Alexander.Steffen@infineon.com>,
        Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Subject: [PATCH 4.9 07/65] tpm-dev-common: Reject too short writes
Date:   Fri,  9 Mar 2018 16:18:07 -0800
Message-Id: <20180310001825.521367469@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180310001824.927996722@linuxfoundation.org>
References: <20180310001824.927996722@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Steffen <Alexander.Steffen@infineon.com>

commit ee70bc1e7b63ac8023c9ff9475d8741e397316e7 upstream.

tpm_transmit() does not offer an explicit interface to indicate the number
of valid bytes in the communication buffer. Instead, it relies on the
commandSize field in the TPM header that is encoded within the buffer.
Therefore, ensure that a) enough data has been written to the buffer, so
that the commandSize field is present and b) the commandSize field does not
announce more data than has been written to the buffer.

This should have been fixed with CVE-2011-1161 long ago, but apparently
a correct version of that patch never made it into the kernel.

Cc: stable@vger.kernel.org
Signed-off-by: Alexander Steffen <Alexander.Steffen@infineon.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm-dev.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/char/tpm/tpm-dev.c
+++ b/drivers/char/tpm/tpm-dev.c
@@ -136,6 +136,12 @@ static ssize_t tpm_write(struct file *fi
 		return -EFAULT;
 	}
 
+	if (in_size < 6 ||
+	    in_size < be32_to_cpu(*((__be32 *) (priv->data_buffer + 2)))) {
+		mutex_unlock(&priv->buffer_mutex);
+		return -EINVAL;
+	}
+
 	/* atomic tpm command send and result receive. We only hold the ops
 	 * lock during this period so that the tpm can be unregistered even if
 	 * the char dev is held open.