From: Jeremy Boone jeremy.boone@nccgroup.trust
Ensure that the Atmel TPM driver performs sufficient validation of the length returned in the TPM response header. This patch prevents memory corruption if the header contains a length value that is larger than the destination buffer.
Signed-off-by: Jeremy Boone jeremy.boone@nccgroup.trust --- drivers/tpm/tpm_atmel_twi.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/drivers/tpm/tpm_atmel_twi.c b/drivers/tpm/tpm_atmel_twi.c index eba654b..4fd772d 100644 --- a/drivers/tpm/tpm_atmel_twi.c +++ b/drivers/tpm/tpm_atmel_twi.c @@ -106,13 +106,23 @@ static int tpm_atmel_twi_xfer(struct udevice *dev, udelay(100); } if (!res) { - *recv_len = get_unaligned_be32(recvbuf + 2); - if (*recv_len > 10) + unsigned int hdr_recv_len; + hdr_recv_len = get_unaligned_be32(recvbuf + 2); + if (hdr_recv_len < 10) { + puts("tpm response header too small\n"); + return -1; + } else if (hdr_recv_len > *recv_len) { + puts("tpm response length is bigger than receive buffer\n"); + return -1; + } else { + *recv_len = hdr_recv_len; #ifndef CONFIG_DM_I2C res = i2c_read(0x29, 0, 0, recvbuf, *recv_len); #else res = dm_i2c_read(dev, 0, recvbuf, *recv_len); #endif + + } } if (res) { printf("i2c_read returned %d (rlen=%d)\n", res, *recv_len);