[U-Boot] [PATCH 3/3] Atmel TPM: Fix potential buffer overruns
Jeremy Boone
jeremy.boone at gmail.com
Mon Feb 12 22:56:37 UTC 2018
From: Jeremy Boone <jeremy.boone at nccgroup.trust>
Ensure that the Atmel TPM driver performs sufficient
validation of the length returned in the TPM response header.
This patch prevents memory corruption if the header contains a
length value that is larger than the destination buffer.
Signed-off-by: Jeremy Boone <jeremy.boone at nccgroup.trust>
---
drivers/tpm/tpm_atmel_twi.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/drivers/tpm/tpm_atmel_twi.c b/drivers/tpm/tpm_atmel_twi.c
index eba654b..4fd772d 100644
--- a/drivers/tpm/tpm_atmel_twi.c
+++ b/drivers/tpm/tpm_atmel_twi.c
@@ -106,13 +106,23 @@ static int tpm_atmel_twi_xfer(struct udevice *dev,
udelay(100);
}
if (!res) {
- *recv_len = get_unaligned_be32(recvbuf + 2);
- if (*recv_len > 10)
+ unsigned int hdr_recv_len;
+ hdr_recv_len = get_unaligned_be32(recvbuf + 2);
+ if (hdr_recv_len < 10) {
+ puts("tpm response header too small\n");
+ return -1;
+ } else if (hdr_recv_len > *recv_len) {
+ puts("tpm response length is bigger than receive buffer\n");
+ return -1;
+ } else {
+ *recv_len = hdr_recv_len;
#ifndef CONFIG_DM_I2C
res = i2c_read(0x29, 0, 0, recvbuf, *recv_len);
#else
res = dm_i2c_read(dev, 0, recvbuf, *recv_len);
#endif
+
+ }
}
if (res) {
printf("i2c_read returned %d (rlen=%d)\n", res, *recv_len);
--
2.7.4
More information about the U-Boot
mailing list