Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1307221imm;
        Sun, 2 Sep 2018 18:18:46 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdYUJl//7Iy9z5SKZu7B6UUliJIWilGBMPJR2Niss7nFyAbdX9GwcjTONsoOZ9NMlNiByxX4
X-Received: by 2002:a62:571b:: with SMTP id l27-v6mr26908068pfb.29.1535937526243;
        Sun, 02 Sep 2018 18:18:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535937526; cv=none;
        d=google.com; s=arc-20160816;
        b=nex6mCyfcPuGVR6uEaU7T14iaJ34EE4eE1wC9+RjHkvdtd6UY0w82cv3yRrBRreYF3
         SvHrMW9uTk6+5D8GoOfRXwnU9ZcGo6UuxtLcrLbymWmnBfjQI2hYrkQ3B1EQNSARrqP3
         E1GVyVCZecMDhp3oiZwkON9Jrioe+tBMAEICE92/xWaa/3AZXoiCABTtob8817GL60Ea
         96oaz/tnUENVKeJAil2HN7pw3M3GOHB6izYwseI9kM5jrZRirmHZzh8tnIrq5/r1D/Fy
         o+2oI+Lc/PQxYKjBwt0LMhHl7um2ty8NXJj3eDOf55ZLYFG6kSkFyE0rhoH6kkjoK8+9
         c5tg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=sSKKy930XRQbfaNudOSFSGpFD9+07EfNmXEkDkQYpaE=;
        b=Tjuo+g0HYDShRKU4HqYpsPV8xo5vg/YbYw3gg8M5BWzIOZn0zf45hUoDzGz60455UU
         O59Ua9vgCYFdJ3b6tTLHS/+E8jf0fhIaESnrEQNMAuyqJa5CIEtgoAO1YhBINJO2ACqh
         SqrD53+9wl48gdoSsc9I2T8zsNgoLOqqMPeZ1iB8NIZZ4fubSW+GEXBNgGW35+oAGrg/
         G/Q1wULf0nl9UuCAt2XSepb5zITDNzntG/YAN+lNXEn8DpCeXKwkPuxQcpI0kye4GMZJ
         ++S+CZqtwEjaaXWlH8kIgnOOQg8JcK1Oi4DJTbmhzQMBmHPWW6awnYW4Cztph4DhE2ch
         NLWg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q9-v6si16902034pgj.134.2018.09.02.18.18.29;
        Sun, 02 Sep 2018 18:18:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726029AbeICF2L (ORCPT
        <rfc822;fygvjjghggcfgvhhgsgrguf@gmail.com> + 99 others);
        Mon, 3 Sep 2018 01:28:11 -0400
Received: from mga17.intel.com ([192.55.52.151]:19822 "EHLO mga17.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725762AbeICF2L (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 3 Sep 2018 01:28:11 -0400
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga002.jf.intel.com ([10.7.209.21])
  by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 Sep 2018 18:10:27 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,322,1531810800"; 
   d="scan'208";a="88436330"
Received: from jbreuer-mobl.ger.corp.intel.com (HELO localhost) ([10.249.36.98])
  by orsmga002.jf.intel.com with ESMTP; 02 Sep 2018 18:10:15 -0700
From:   Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To:     linux-integrity@vger.kernel.org
Cc:     Stefan Berger <stefanb@linux.vnet.ibm.com>,
        linux-security-module@vger.kernel.org,
        Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
        stable@vger.kernel.org, Peter Huewe <peterhuewe@gmx.de>,
        Jason Gunthorpe <jgg@ziepe.ca>, Arnd Bergmann <arnd@arndb.de>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-kernel@vger.kernel.org (open list)
Subject: [PATCH] tpm: fix response size validation in tpm_get_random()
Date:   Mon,  3 Sep 2018 04:10:04 +0300
Message-Id: <20180903011004.12161-1-jarkko.sakkinen@linux.intel.com>
X-Mailer: git-send-email 2.17.1
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

When checking whether the response is large enough to be able to contain
the received random bytes in tpm_get_random() and tpm2_get_random(),
they fail to take account the header size, which should be added to the
minimum size. This commit fixes this issue.

Cc: stable@vger.kernel.org
Fixes: c659af78eb7b ("tpm: Check size of response before accessing data")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
 drivers/char/tpm/tpm-interface.c | 3 ++-
 drivers/char/tpm/tpm2-cmd.c      | 4 +++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index 1a803b0cf980..318a7078b2ba 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -1321,7 +1321,8 @@ int tpm_get_random(struct tpm_chip *chip, u8 *out, size_t max)
 		}
 
 		rlength = be32_to_cpu(tpm_cmd.header.out.length);
-		if (rlength < offsetof(struct tpm_getrandom_out, rng_data) +
+		if (rlength < TPM_HEADER_SIZE +
+			      offsetof(struct tpm_getrandom_out, rng_data) +
 			      recd) {
 			total = -EFAULT;
 			break;
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index c31b490bd41d..3acf4fd4e5a5 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -329,7 +329,9 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
 			&buf.data[TPM_HEADER_SIZE];
 		recd = min_t(u32, be16_to_cpu(out->size), num_bytes);
 		if (tpm_buf_length(&buf) <
-		    offsetof(struct tpm2_get_random_out, buffer) + recd) {
+		    TPM_HEADER_SIZE +
+		    offsetof(struct tpm2_get_random_out, buffer) +
+		    recd) {
 			err = -EFAULT;
 			goto out;
 		}
-- 
2.17.1