tpm: Cap the number of PCR banks · tjh.dev/kernel@faf07e6

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

tpm: Cap the number of PCR banks

tpm2_get_pcr_allocation() does not cap any upper limit for the number of
banks. Cap the limit to eight banks so that out of bounds values coming
from external I/O cause on only limited harm.

Cc: stable@vger.kernel.org # v5.10+
Fixes: bcfff8384f6c ("tpm: dynamically allocate the allocated_banks array")
Tested-by: Lai Yi <yi1.lai@linux.intel.com>
Reviewed-by: Jonathan McDowell <noodles@meta.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@opinsys.com>

authored by

Jarkko Sakkinen and committed by

Jarkko Sakkinen 4 months ago faf07e61 020a0d8f

+8 -14

4 changed files

expand all

drivers

char

tpm

tpm-chip.c

tpm1-cmd.c

tpm2-cmd.c

include

linux

tpm.h

-1

drivers/char/tpm/tpm-chip.c

··· 246 246 247 247 kfree(chip->work_space.context_buf); 248 248 kfree(chip->work_space.session_buf); 249 - kfree(chip->allocated_banks); 250 249 #ifdef CONFIG_TCG_TPM2_HMAC 251 250 kfree(chip->auth); 252 251 #endif

-5

drivers/char/tpm/tpm1-cmd.c

··· 799 799 */ 800 800 int tpm1_get_pcr_allocation(struct tpm_chip *chip) 801 801 { 802 - chip->allocated_banks = kcalloc(1, sizeof(*chip->allocated_banks), 803 - GFP_KERNEL); 804 - if (!chip->allocated_banks) 805 - return -ENOMEM; 806 - 807 802 chip->allocated_banks[0].alg_id = TPM_ALG_SHA1; 808 803 chip->allocated_banks[0].digest_size = hash_digest_size[HASH_ALGO_SHA1]; 809 804 chip->allocated_banks[0].crypto_id = HASH_ALGO_SHA1;

+3 -5

drivers/char/tpm/tpm2-cmd.c

··· 550 550 551 551 nr_possible_banks = be32_to_cpup( 552 552 (__be32 *)&buf.data[TPM_HEADER_SIZE + 5]); 553 - 554 - chip->allocated_banks = kcalloc(nr_possible_banks, 555 - sizeof(*chip->allocated_banks), 556 - GFP_KERNEL); 557 - if (!chip->allocated_banks) { 553 + if (nr_possible_banks > TPM2_MAX_PCR_BANKS) { 554 + pr_err("tpm: out of bank capacity: %u > %u\n", 555 + nr_possible_banks, TPM2_MAX_PCR_BANKS); 558 556 rc = -ENOMEM; 559 557 goto out; 560 558 }

+5 -3

include/linux/tpm.h

··· 26 26 #include <crypto/aes.h> 27 27 28 28 #define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */ 29 - #define TPM_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE 29 + 30 + #define TPM2_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE 31 + #define TPM2_MAX_PCR_BANKS 8 30 32 31 33 struct tpm_chip; 32 34 struct trusted_key_payload; ··· 70 68 71 69 struct tpm_digest { 72 70 u16 alg_id; 73 - u8 digest[TPM_MAX_DIGEST_SIZE]; 71 + u8 digest[TPM2_MAX_DIGEST_SIZE]; 74 72 } __packed; 75 73 76 74 struct tpm_bank_info { ··· 191 189 unsigned int groups_cnt; 192 190 193 191 u32 nr_allocated_banks; 194 - struct tpm_bank_info *allocated_banks; 192 + struct tpm_bank_info allocated_banks[TPM2_MAX_PCR_BANKS]; 195 193 #ifdef CONFIG_ACPI 196 194 acpi_handle acpi_dev_handle; 197 195 char ppi_version[TPM_PPI_VERSION_LEN + 1];