diff options
| author | Stefan Berger <stefanb@linux.vnet.ibm.com> | 2019-11-06 16:36:00 -0500 |
|---|---|---|
| committer | Kevin O'Connor <kevin@koconnor.net> | 2019-11-13 10:25:36 -0500 |
| commit | 0594486b639849b47d762c76f28730edbf648dc7 (patch) | |
| tree | f9070c75f5ed47ba8b9241ef58035c4a140fec15 | |
| parent | 0672bd3b6affd414ac8721686a0ed1bef8fd73b3 (diff) | |
| download | seabios-0594486b639849b47d762c76f28730edbf648dc7.tar.gz | |
tcgbios: Check for enough bytes returned from TPM2_GetCapability
When querying a TPM 2.0 for its PCRs, make sure that we get enough bytes
from it in a response that did not indicate a failure. Basically we are
defending against a TPM 2.0 sending responses that are not compliant to
the specs.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
| -rw-r--r-- | src/tcgbios.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/src/tcgbios.c b/src/tcgbios.c index 2e503f93..95c1e943 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -481,8 +481,17 @@ tpm20_get_pcrbanks(void) if (ret) return ret; - u32 size = be32_to_cpu(trg->hdr.totlen) - - offsetof(struct tpm2_res_getcapability, data); + /* defend against (broken) TPM sending packets that are too short */ + u32 resplen = be32_to_cpu(trg->hdr.totlen); + if (resplen <= offsetof(struct tpm2_res_getcapability, data)) + return -1; + + u32 size = resplen - offsetof(struct tpm2_res_getcapability, data); + /* we need a valid tpml_pcr_selection up to and including sizeOfSelect */ + if (size < offsetof(struct tpml_pcr_selection, selections) + + offsetof(struct tpms_pcr_selection, pcrSelect)) + return -1; + tpm20_pcr_selection = malloc_high(size); if (tpm20_pcr_selection) { memcpy(tpm20_pcr_selection, &trg->data, size); |