On Thu, Nov 7, 2019 at 3:14 AM Stefan Berger stefanb@linux.vnet.ibm.com wrote:
When querying a TPM 2.0 for its PCRs, make sure that we get enough bytes from it in a response that did not indicate a failure. Basically we are defending against a TPM 2.0 sending responses that are not compliant to the specs.
Signed-off-by: Stefan Berger stefanb@linux.ibm.com
Reviewed-by: Marc-André Lureau marcandre.lureau@redhat.com
src/tcgbios.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/src/tcgbios.c b/src/tcgbios.c index 2e503f9..95c1e94 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -481,8 +481,17 @@ tpm20_get_pcrbanks(void) if (ret) return ret;
- u32 size = be32_to_cpu(trg->hdr.totlen) -
offsetof(struct tpm2_res_getcapability, data);
- /* defend against (broken) TPM sending packets that are too short */
- u32 resplen = be32_to_cpu(trg->hdr.totlen);
- if (resplen <= offsetof(struct tpm2_res_getcapability, data))
return -1;
- u32 size = resplen - offsetof(struct tpm2_res_getcapability, data);
- /* we need a valid tpml_pcr_selection up to and including sizeOfSelect */
- if (size < offsetof(struct tpml_pcr_selection, selections) +
offsetof(struct tpms_pcr_selection, pcrSelect))
return -1;
- tpm20_pcr_selection = malloc_high(size); if (tpm20_pcr_selection) { memcpy(tpm20_pcr_selection, &trg->data, size);
-- 2.20.1 _______________________________________________ SeaBIOS mailing list -- seabios@seabios.org To unsubscribe send an email to seabios-leave@seabios.org