tpm: Filter TPM commands in passthrough API

Filter TPM commands in the passthrough API call by matching the
type of tag in the header with the version of the underlying TPM.
Return an error code if the tag indicates that the command is
for the wrong TPM version.

Fix a size check on the way.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>

1 files changed, 18 insertions, 1 deletions

diff --git a/src/tcgbios.c b/src/tcgbios.c
index da457a42..d6010c19 100644
--- a/src/tcgbios.c
+++ b/src/tcgbios.c
@@ -1065,13 +1065,30 @@ pass_through_to_tpm_int(struct pttti *pttti, struct pttto *pttto)
     u32 rc = 0;
     struct tpm_req_header *trh = (void*)pttti->tpmopin;
 
-    if (pttti->ipblength < sizeof(struct pttti) + sizeof(trh)
+    if (pttti->ipblength < sizeof(struct pttti) + sizeof(*trh)
         || pttti->ipblength != sizeof(struct pttti) + be32_to_cpu(trh->totlen)
         || pttti->opblength < sizeof(struct pttto)) {
         rc = TCG_INVALID_INPUT_PARA;
         goto err_exit;
     }
 
+    u16 tag = be16_to_cpu(trh->tag);
+
+    switch (TPM_version) {
+    case TPM_VERSION_1_2:
+        if (tag != TPM_TAG_RQU_CMD && tag != TPM_TAG_RQU_AUTH1_CMD
+            && tag != TPM_TAG_RQU_AUTH2_CMD) {
+            rc = TCG_INVALID_INPUT_PARA;
+            goto err_exit;
+        }
+        break;
+    case TPM_VERSION_2:
+        if (tag != TPM2_ST_NO_SESSIONS && tag != TPM2_ST_SESSIONS) {
+            rc = TCG_INVALID_INPUT_PARA;
+            goto err_exit;
+        }
+    }
+
     u32 resbuflen = pttti->opblength - offsetof(struct pttto, tpmopout);
     int ret = tpmhw_transmit(0, trh, pttto->tpmopout, &resbuflen,
                              TPM_DURATION_TYPE_LONG /* worst case */);