<p>Philipp Deppenwiese has uploaded this change for <strong>review</strong>.</p><p><a href="https://review.coreboot.org/25184">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">security/tpm: Fix TPM software stack vulnerability<br><br>* Fix tlcl_read() for TPM 1.2<br>* https://github.com/nccgroup/TPMGenie<br><br>Change-Id: I1618b2cc579d189bccca7a781e2bed0976a8b471<br>Signed-off-by: zaolin <zaolin@das-labor.org><br>---<br>M src/security/tpm/tss/tcg-1.2/tss.c<br>1 file changed, 1 insertion(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://review.coreboot.org:29418/coreboot refs/changes/84/25184/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/security/tpm/tss/tcg-1.2/tss.c b/src/security/tpm/tss/tcg-1.2/tss.c</span><br><span>index b7b2d94..3e2e049 100644</span><br><span>--- a/src/security/tpm/tss/tcg-1.2/tss.c</span><br><span>+++ b/src/security/tpm/tss/tcg-1.2/tss.c</span><br><span>@@ -238,6 +238,7 @@</span><br><span>    if (result == TPM_SUCCESS && length > 0) {</span><br><span>                uint8_t *nv_read_cursor = response + kTpmResponseHeaderLength;</span><br><span>               from_tpm_uint32(nv_read_cursor, &result_length);</span><br><span style="color: hsl(120, 100%, 40%);">+          assert(result_length > length);</span><br><span>           nv_read_cursor += sizeof(uint32_t);</span><br><span>          memcpy(data, nv_read_cursor, result_length);</span><br><span>         }</span><br><span></span><br></pre><p>To view, visit <a href="https://review.coreboot.org/25184">change 25184</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://review.coreboot.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://review.coreboot.org/25184"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: coreboot </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I1618b2cc579d189bccca7a781e2bed0976a8b471 </div>
<div style="display:none"> Gerrit-Change-Number: 25184 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki@gmail.com> </div>