tcgbios: Check for enough bytes returned from TPM2_GetCapability
When querying a TPM 2.0 for its PCRs, make sure that we get enough bytes from it in a response that did not indicate a failure. Basically we are defending against a TPM 2.0 sending responses that are not compliant to the specs. Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This commit is contained in:
parent
0672bd3b6a
commit
0594486b63
|
@ -481,8 +481,17 @@ tpm20_get_pcrbanks(void)
|
|||
if (ret)
|
||||
return ret;
|
||||
|
||||
u32 size = be32_to_cpu(trg->hdr.totlen) -
|
||||
offsetof(struct tpm2_res_getcapability, data);
|
||||
/* defend against (broken) TPM sending packets that are too short */
|
||||
u32 resplen = be32_to_cpu(trg->hdr.totlen);
|
||||
if (resplen <= offsetof(struct tpm2_res_getcapability, data))
|
||||
return -1;
|
||||
|
||||
u32 size = resplen - offsetof(struct tpm2_res_getcapability, data);
|
||||
/* we need a valid tpml_pcr_selection up to and including sizeOfSelect */
|
||||
if (size < offsetof(struct tpml_pcr_selection, selections) +
|
||||
offsetof(struct tpms_pcr_selection, pcrSelect))
|
||||
return -1;
|
||||
|
||||
tpm20_pcr_selection = malloc_high(size);
|
||||
if (tpm20_pcr_selection) {
|
||||
memcpy(tpm20_pcr_selection, &trg->data, size);
|
||||
|
|
Loading…
Reference in New Issue