lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 21 Feb 2017 15:45:00 +0100
From:   Enric Balletbo i Serra <enric.balletbo@...labora.com>
To:     Peter Huewe <peterhuewe@....de>,
        Marcel Selhorst <tpmdd@...horst.net>
Cc:     apronin@...gle.com, tpmdd-devel@...ts.sourceforge.net,
        linux-kernel@...r.kernel.org, Bryan Freed <bfreed@...omium.org>
Subject: [PATCH 2/2] tpm: Do not assume an i2c adapter preserves the msg len

From: Bryan Freed <bfreed@...omium.org>

Prevent a possible infinite loop by using a local variable to
advance len down to 0.  This is safer than trusting the I2C and
adapter drivers to preserve msg2.len.

Signed-off-by: Bryan Freed <bfreed@...omium.org>
Signed-off-by: Enric Balletbo i Serra <enric.balletbo@...labora.com>
---
 drivers/char/tpm/tpm_i2c_infineon.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/char/tpm/tpm_i2c_infineon.c b/drivers/char/tpm/tpm_i2c_infineon.c
index f04c6b7..fbee05b 100644
--- a/drivers/char/tpm/tpm_i2c_infineon.c
+++ b/drivers/char/tpm/tpm_i2c_infineon.c
@@ -107,11 +107,10 @@ static int iic_tpm_read(u8 addr, u8 *buffer, size_t len)
 		.len = len,
 		.buf = buffer
 	};
-	struct i2c_msg msgs[] = {msg1, msg2};
 
 	int rc = 0;
 	int count;
-	int adapterlimit = len;
+	unsigned int adapterlimit = len;
 
 	/* Lock the adapter for the duration of the whole sequence. */
 	if (!tpm_dev.client->adapter->algo->master_xfer)
@@ -137,18 +136,19 @@ static int iic_tpm_read(u8 addr, u8 *buffer, size_t len)
 		 * retrieving the data
 		 */
 		for (count = 0; count < MAX_COUNT; count++) {
+			unsigned int msglen = msg2.len =
+					min_t(unsigned int, adapterlimit, len);
 			usleep_range(SLEEP_DURATION_LOW, SLEEP_DURATION_HI);
-			msg2.len = min(adapterlimit, len);
 			rc = __i2c_transfer(tpm_dev.client->adapter, &msg2, 1);
 			if (rc > 0) {
 				/* Since len is unsigned, make doubly sure we
 				 * do not underflow it.
 				 */
-				if (msg2.len > len)
+				if (msglen > len)
 					len = 0;
 				else
-					len -= msg2.len;
-				msg2.buf += msg2.len;
+					len -= msglen;
+				msg2.buf += msglen;
 				break;
 			}
 			/* If the I2C adapter rejected the request,
@@ -156,7 +156,7 @@ static int iic_tpm_read(u8 addr, u8 *buffer, size_t len)
 			 */
 			if (rc == -EINVAL) {
 				adapterlimit = (adapterlimit + 1) / 2;
-				adapterlimit = max(adapterlimit, 32);
+				adapterlimit = max(adapterlimit, 32U);
 			}
 		}
 		if (rc <= 0)
-- 
2.9.3

Powered by blists - more mailing lists