diff options
author | Peter Huewe <huewe.external.infineon@googlemail.com> | 2011-09-15 19:37:43 +0200 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2011-09-23 01:46:29 +0200 |
commit | 6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3 (patch) | |
tree | 58530bdef4c29cb4bf127942428190e9a2756b2c /drivers/char | |
parent | TPM: tpm_nsc: Fix a double free of pdev in cleanup_nsc (diff) | |
download | linux-6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3.tar.xz linux-6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3.zip |
TPM: Call tpm_transmit with correct size
This patch changes the call of tpm_transmit by supplying the size of the
userspace buffer instead of TPM_BUFSIZE.
This got assigned CVE-2011-1161.
[The first hunk didn't make sense given one could expect
way less data than TPM_BUFSIZE, so added tpm_transmit boundary
check over bufsiz instead
The last parameter of tpm_transmit() reflects the amount
of data expected from the device, and not the buffer size
being supplied to it. It isn't ideal to parse it directly,
so we just set it to the maximum the input buffer can handle
and let the userspace API to do such job.]
Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Cc: Stable Kernel <stable@kernel.org>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'drivers/char')
-rw-r--r-- | drivers/char/tpm/tpm.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c index caf8012ef47c..1fe979335835 100644 --- a/drivers/char/tpm/tpm.c +++ b/drivers/char/tpm/tpm.c @@ -383,6 +383,9 @@ static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf, u32 count, ordinal; unsigned long stop; + if (bufsiz > TPM_BUFSIZE) + bufsiz = TPM_BUFSIZE; + count = be32_to_cpu(*((__be32 *) (buf + 2))); ordinal = be32_to_cpu(*((__be32 *) (buf + 6))); if (count == 0) |