[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20251007090736.17942-1-shahriyar@posteo.de>
Date: Tue, 07 Oct 2025 09:07:39 +0000
From: Shahriyar Jalayeri <shahriyar@...teo.de>
To: jarkko@...nel.org
Cc: shahriyar@...teo.de,
peterhuewe@....de,
jgg@...pe.ca,
linux-integrity@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] tpm: infineon: add bounds check in tpm_inf_recv
Add two buffer size validations to prevent buffer overflows in
tpm_inf_recv():
1. Validate that the provided buffer can hold at least the 4-byte header
before attempting to read it.
2. Validate that the buffer is large enough to hold the data size reported
by the TPM before reading the payload.
Without these checks, a malicious or malfunctioning TPM could cause buffer
overflows by reporting data sizes larger than the provided buffer, leading
to memory corruption.
Fixes: ebb81fdb3dd0 ("[PATCH] tpm: Support for Infineon TPM")
Signed-off-by: Shahriyar Jalayeri <shahriyar@...teo.de>
---
drivers/char/tpm/tpm_infineon.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/char/tpm/tpm_infineon.c b/drivers/char/tpm/tpm_infineon.c
index 7638b65b8..8b90a8191 100644
--- a/drivers/char/tpm/tpm_infineon.c
+++ b/drivers/char/tpm/tpm_infineon.c
@@ -250,6 +250,11 @@ static int tpm_inf_recv(struct tpm_chip *chip, u8 * buf, size_t count)
number_of_wtx = 0;
recv_begin:
+ /* expect at least 1-byte VL header, 1-byte ctrl-tag, 2-byte data size */
+ if (count < 4) {
+ return -EIO;
+ }
+
/* start receiving header */
for (i = 0; i < 4; i++) {
ret = wait(chip, STAT_RDA);
@@ -268,6 +273,10 @@ static int tpm_inf_recv(struct tpm_chip *chip, u8 * buf, size_t count)
/* size of the data received */
size = ((buf[2] << 8) | buf[3]);
+ if (size + 6 > count) {
+ return -EIO;
+ }
+
for (i = 0; i < size; i++) {
wait(chip, STAT_RDA);
buf[i] = tpm_data_in(RDFIFO);
--
2.43.0
Powered by blists - more mailing lists