[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20251004090413.8885-1-shahriyar@posteo.de>
Date: Sat, 04 Oct 2025 09:04:17 +0000
From: Shahriyar Jalayeri <shahriyar@...teo.de>
To: Paul Menzel <pmenzel@...gen.mpg.de>
Cc: shahriyar@...teo.de,
peterhuewe@....de,
jarkko@...nel.org,
jgg@...pe.ca,
linux-integrity@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] tpm: infineon: add bounds check in tpm_inf_recv
Add two buffer size validations to prevent buffer
overflows in tpm_inf_recv():
1. Validate that the provided buffer can hold at
least the 4-byte header before attempting to
read it.
2. Validate that the buffer is large enough to
hold the data size reported by the TPM before
reading the payload.
Without these checks, a malicious or malfunctioning
TPM could cause buffer overflows by reporting data
sizes larger than the provided buffer, leading to
memory corruption.
The error messages include both the expected and
actual buffer sizes to indicate that the operation
is aborted.
Signed-off-by: Shahriyar Jalayeri <shahriyar@...teo.de>
---
drivers/char/tpm/tpm_infineon.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/drivers/char/tpm/tpm_infineon.c b/drivers/char/tpm/tpm_infineon.c
index 7638b65b8..385bac46a 100644
--- a/drivers/char/tpm/tpm_infineon.c
+++ b/drivers/char/tpm/tpm_infineon.c
@@ -247,11 +247,20 @@ static int tpm_inf_recv(struct tpm_chip *chip, u8 * buf, size_t count)
int i;
int ret;
u32 size = 0;
+ u32 header_size = 4;
number_of_wtx = 0;
recv_begin:
+ if (count < header_size) {
+ dev_err(&chip->dev,
+ "Buffer too small (count=%zd, header_size=%u), "
+ "operation aborted\n",
+ count, header_size);
+ return -EIO;
+ }
+
/* start receiving header */
- for (i = 0; i < 4; i++) {
+ for (i = 0; i < header_size; i++) {
ret = wait(chip, STAT_RDA);
if (ret)
return -EIO;
@@ -268,6 +277,14 @@ static int tpm_inf_recv(struct tpm_chip *chip, u8 * buf, size_t count)
/* size of the data received */
size = ((buf[2] << 8) | buf[3]);
+ if (size > count) {
+ dev_err(&chip->dev,
+ "Buffer too small for incoming data "
+ "(count=%zd, size=%u), operation aborted\n",
+ count, size);
+ return -EIO;
+ }
+
for (i = 0; i < size; i++) {
wait(chip, STAT_RDA);
buf[i] = tpm_data_in(RDFIFO);
--
2.43.0
Powered by blists - more mailing lists