tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

tpm: use tpm_buf functions in tpm2_pcr_read()

tpm2_pcr_read() now builds the PCR read command buffer with tpm_buf
functions. This solution is preferred to using a tpm2_cmd structure,
as tpm_buf functions provide protection against buffer overflow.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>

authored by

Roberto Sassu and committed by
James Morris 91f7f3d7 bc397085

+30 -30
+30 -30
drivers/char/tpm/tpm2-cmd.c
··· 42 42 u8 pcr_select[TPM2_PCR_SELECT_MIN]; 43 43 } __packed; 44 44 45 - struct tpm2_pcr_read_out { 46 - __be32 update_cnt; 47 - __be32 pcr_selects_cnt; 48 - __be16 hash_alg; 49 - u8 pcr_select_size; 50 - u8 pcr_select[TPM2_PCR_SELECT_MIN]; 51 - __be32 digests_cnt; 52 - __be16 digest_size; 53 - u8 digest[TPM_DIGEST_SIZE]; 54 - } __packed; 55 - 56 45 struct tpm2_get_tpm_pt_in { 57 46 __be32 cap_id; 58 47 __be32 property_id; ··· 69 80 struct tpm2_startup_in startup_in; 70 81 struct tpm2_self_test_in selftest_in; 71 82 struct tpm2_pcr_read_in pcrread_in; 72 - struct tpm2_pcr_read_out pcrread_out; 73 83 struct tpm2_get_tpm_pt_in get_tpm_pt_in; 74 84 struct tpm2_get_tpm_pt_out get_tpm_pt_out; 75 85 struct tpm2_get_random_in getrandom_in; ··· 219 231 (sizeof(struct tpm_input_header) + \ 220 232 sizeof(struct tpm2_pcr_read_in)) 221 233 222 - #define TPM2_PCR_READ_RESP_BODY_SIZE \ 223 - sizeof(struct tpm2_pcr_read_out) 224 - 225 234 static const struct tpm_input_header tpm2_pcrread_header = { 226 235 .tag = cpu_to_be16(TPM2_ST_NO_SESSIONS), 227 236 .length = cpu_to_be32(TPM2_PCR_READ_IN_SIZE), 228 237 .ordinal = cpu_to_be32(TPM2_CC_PCR_READ) 229 238 }; 239 + 240 + struct tpm2_pcr_read_out { 241 + __be32 update_cnt; 242 + __be32 pcr_selects_cnt; 243 + __be16 hash_alg; 244 + u8 pcr_select_size; 245 + u8 pcr_select[TPM2_PCR_SELECT_MIN]; 246 + __be32 digests_cnt; 247 + __be16 digest_size; 248 + u8 digest[]; 249 + } __packed; 230 250 231 251 /** 232 252 * tpm2_pcr_read() - read a PCR value ··· 247 251 int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf) 248 252 { 249 253 int rc; 250 - struct tpm2_cmd cmd; 251 - u8 *buf; 254 + struct tpm_buf buf; 255 + struct tpm2_pcr_read_out *out; 256 + u8 pcr_select[TPM2_PCR_SELECT_MIN] = {0}; 252 257 253 258 if (pcr_idx >= TPM2_PLATFORM_PCR) 254 259 return -EINVAL; 255 260 256 - cmd.header.in = tpm2_pcrread_header; 257 - cmd.params.pcrread_in.pcr_selects_cnt = cpu_to_be32(1); 258 - cmd.params.pcrread_in.hash_alg = cpu_to_be16(TPM2_ALG_SHA1); 259 - cmd.params.pcrread_in.pcr_select_size = TPM2_PCR_SELECT_MIN; 261 + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_PCR_READ); 262 + if (rc) 263 + return rc; 260 264 261 - memset(cmd.params.pcrread_in.pcr_select, 0, 262 - sizeof(cmd.params.pcrread_in.pcr_select)); 263 - cmd.params.pcrread_in.pcr_select[pcr_idx >> 3] = 1 << (pcr_idx & 0x7); 265 + pcr_select[pcr_idx >> 3] = 1 << (pcr_idx & 0x7); 264 266 265 - rc = tpm_transmit_cmd(chip, NULL, &cmd, sizeof(cmd), 266 - TPM2_PCR_READ_RESP_BODY_SIZE, 267 - 0, "attempting to read a pcr value"); 268 - if (rc == 0) { 269 - buf = cmd.params.pcrread_out.digest; 270 - memcpy(res_buf, buf, TPM_DIGEST_SIZE); 267 + tpm_buf_append_u32(&buf, 1); 268 + tpm_buf_append_u16(&buf, TPM2_ALG_SHA1); 269 + tpm_buf_append_u8(&buf, TPM2_PCR_SELECT_MIN); 270 + tpm_buf_append(&buf, (const unsigned char *)pcr_select, 271 + sizeof(pcr_select)); 272 + 273 + rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0, 274 + res_buf ? "attempting to read a pcr value" : NULL); 275 + if (rc == 0 && res_buf) { 276 + out = (struct tpm2_pcr_read_out *)&buf.data[TPM_HEADER_SIZE]; 277 + memcpy(res_buf, out->digest, SHA1_DIGEST_SIZE); 271 278 } 272 279 280 + tpm_buf_destroy(&buf); 273 281 return rc; 274 282 } 275 283