The second check on pcr_map in sandbox_tpm2_xfer() is wrong. It should check for pcr_map not being empty. Instead, it is a pure copy/paste of the first check which is redundant.
This has been found thanks to a Coverity Scan report:
CID 183370: Memory - illegal accesses (UNINIT) Using uninitialized value "pcr_index". put_unaligned_be32(tpm->pcr_extensions[pcr_index], recv);
This is because pcr_index is initialized only if the user input is correct, ie. at least one valid bit is set in pcr_map.
Fix the second check and also initialize pcr_index to 0 (which is harmless in case of error) to make Coverity Scan happy.
Reported-by: Tom Rini trini@konsulko.com Signed-off-by: Miquel Raynal miquel.raynal@bootlin.com --- drivers/tpm/tpm2_tis_sandbox.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/tpm/tpm2_tis_sandbox.c b/drivers/tpm/tpm2_tis_sandbox.c index 66f6c9ba82..b15ec732ad 100644 --- a/drivers/tpm/tpm2_tis_sandbox.c +++ b/drivers/tpm/tpm2_tis_sandbox.c @@ -272,7 +272,7 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf, u32 capability, property, property_count;
/* TPM2_PCR_Read/Extend variables */ - int pcr_index; + int pcr_index = 0; u64 pcr_map = 0; u32 selections, pcr_nb; u16 alg; @@ -483,8 +483,8 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf, return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc); }
- if (pcr_map >> SANDBOX_TPM_PCR_NB) { - printf("Wrong PCR map.\n"); + if (!pcr_map) { + printf("Empty PCR map.\n"); rc = TPM2_RC_VALUE; return sandbox_tpm2_fill_buf(&recv, recv_len, tag, rc); }