tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

tpm_tis: Check return values from get_burstcount.

If the TPM we're connecting to uses a static burst count, it will report
a burst count of zero throughout the response read. However, get_burstcount
assumes that a response of zero indicates that the TPM is not ready to
receive more data. In this case, it returns a negative error code, which
is passed on to tpm_tis_{write,read}_bytes as a u16, causing
them to read/write far too many bytes.

This patch checks for negative return codes and bails out from recv_data
and tpm_tis_send_data.

Cc: stable@vger.kernel.org
Fixes: 1107d065fdf1 (tpm_tis: Introduce intermediate layer for TPM access)
Signed-off-by: Josh Zimmerman <joshz@google.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

authored by

Josh Zimmerman and committed by
Jarkko Sakkinen 26a137e3 ca6d4580

+13 -2
+13 -2
drivers/char/tpm/tpm_tis_core.c
··· 187 187 &priv->read_queue, true); 188 188 if (rc < 0) 189 189 return rc; 190 - burstcnt = min_t(int, get_burstcount(chip), count - size); 190 + burstcnt = get_burstcount(chip); 191 + if (burstcnt < 0) { 192 + dev_err(&chip->dev, "Unable to read burstcount\n"); 193 + return burstcnt; 194 + } 195 + burstcnt = min_t(int, burstcnt, count - size); 191 196 192 197 rc = tpm_tis_read_bytes(priv, TPM_DATA_FIFO(priv->locality), 193 198 burstcnt, buf + size); ··· 281 276 } 282 277 283 278 while (count < len - 1) { 284 - burstcnt = min_t(int, get_burstcount(chip), len - count - 1); 279 + burstcnt = get_burstcount(chip); 280 + if (burstcnt < 0) { 281 + dev_err(&chip->dev, "Unable to read burstcount\n"); 282 + rc = burstcnt; 283 + goto out_err; 284 + } 285 + burstcnt = min_t(int, burstcnt, len - count - 1); 285 286 rc = tpm_tis_write_bytes(priv, TPM_DATA_FIFO(priv->locality), 286 287 burstcnt, buf + count); 287 288 if (rc < 0)