From 12e0ab327d1a6711ee40ac9ade2e189d1092e962 Mon Sep 17 00:00:00 2001 From: Jeremy Boone Date: Mon, 12 Feb 2018 17:56:35 -0500 Subject: [PATCH] STMicro TPM: Fix potential buffer overruns This patch prevents integer underflow when the length was too small, which could lead to memory corruption. Signed-off-by: Jeremy Boone --- drivers/tpm/tpm_tis_st33zp24_i2c.c | 5 +++-- drivers/tpm/tpm_tis_st33zp24_spi.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/tpm/tpm_tis_st33zp24_i2c.c b/drivers/tpm/tpm_tis_st33zp24_i2c.c index c8d01254d2..245218fc07 100644 --- a/drivers/tpm/tpm_tis_st33zp24_i2c.c +++ b/drivers/tpm/tpm_tis_st33zp24_i2c.c @@ -303,7 +303,8 @@ static int st33zp24_i2c_recv_data(struct udevice *dev, u8 *buf, size_t count) static int st33zp24_i2c_recv(struct udevice *dev, u8 *buf, size_t count) { struct tpm_chip *chip = dev_get_priv(dev); - int size, expected; + int size; + unsigned int expected; if (!chip) return -ENODEV; @@ -320,7 +321,7 @@ static int st33zp24_i2c_recv(struct udevice *dev, u8 *buf, size_t count) } expected = get_unaligned_be32(buf + 2); - if (expected > count) { + if (expected > count || expected < TPM_HEADER_SIZE) { size = -EIO; goto out; } diff --git a/drivers/tpm/tpm_tis_st33zp24_spi.c b/drivers/tpm/tpm_tis_st33zp24_spi.c index dcf55ee03a..c4c5e05286 100644 --- a/drivers/tpm/tpm_tis_st33zp24_spi.c +++ b/drivers/tpm/tpm_tis_st33zp24_spi.c @@ -431,7 +431,8 @@ static int st33zp24_spi_recv_data(struct udevice *dev, u8 *buf, size_t count) static int st33zp24_spi_recv(struct udevice *dev, u8 *buf, size_t count) { struct tpm_chip *chip = dev_get_priv(dev); - int size, expected; + int size; + unsigned int expected; if (!chip) return -ENODEV; @@ -448,7 +449,7 @@ static int st33zp24_spi_recv(struct udevice *dev, u8 *buf, size_t count) } expected = get_unaligned_be32(buf + 2); - if (expected > count) { + if (expected > count || expected < TPM_HEADER_SIZE) { size = -EIO; goto out; } -- 2.39.2