tpm: Defend against TPM sending unexpected short packets

[SeaBIOS] [PATCH 1/2] tpm: Require a response to have minimum size of a valid response header

Posted by Stefan Berger 4 years, 11 months ago

Defend against a broken TPM 1.2 or TPM 2.0 that doesn't send at least
a full response header in the response but less than 10 bytes.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/hw/tpm_drivers.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/hw/tpm_drivers.c b/src/hw/tpm_drivers.c
index e4770b3..2b5753c 100644
--- a/src/hw/tpm_drivers.c
+++ b/src/hw/tpm_drivers.c
@@ -620,7 +620,8 @@ tpmhw_transmit(u8 locty, struct tpm_req_header *req,
         return -1;
 
     irc = td->readresp(respbuffer, respbufferlen);
-    if (irc != 0)
+    if (irc != 0 ||
+        *respbufferlen < sizeof(struct tpm_rsp_header))
         return -1;
 
     td->ready();
-- 
2.20.1
_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-leave@seabios.org

[SeaBIOS] Re: [PATCH 1/2] tpm: Require a response to have minimum size of a valid response header

Posted by Marc-André Lureau 4 years, 11 months ago

On Thu, Nov 7, 2019 at 1:51 AM Stefan Berger <stefanb@linux.vnet.ibm.com> wrote:
>
> Defend against a broken TPM 1.2 or TPM 2.0 that doesn't send at least
> a full response header in the response but less than 10 bytes.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>

> ---
>  src/hw/tpm_drivers.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/hw/tpm_drivers.c b/src/hw/tpm_drivers.c
> index e4770b3..2b5753c 100644
> --- a/src/hw/tpm_drivers.c
> +++ b/src/hw/tpm_drivers.c
> @@ -620,7 +620,8 @@ tpmhw_transmit(u8 locty, struct tpm_req_header *req,
>          return -1;
>
>      irc = td->readresp(respbuffer, respbufferlen);
> -    if (irc != 0)
> +    if (irc != 0 ||
> +        *respbufferlen < sizeof(struct tpm_rsp_header))
>          return -1;
>
>      td->ready();
> --
> 2.20.1
> _______________________________________________
> SeaBIOS mailing list -- seabios@seabios.org
> To unsubscribe send an email to seabios-leave@seabios.org



-- 
Marc-André Lureau
_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-leave@seabios.org

[SeaBIOS] Re: [PATCH 1/2] tpm: Require a response to have minimum size of a valid response header

Posted by Philippe Mathieu-Daudé 4 years, 11 months ago

On 11/6/19 10:35 PM, Stefan Berger wrote:
> Defend against a broken TPM 1.2 or TPM 2.0 that doesn't send at least
> a full response header in the response but less than 10 bytes.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>   src/hw/tpm_drivers.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/src/hw/tpm_drivers.c b/src/hw/tpm_drivers.c
> index e4770b3..2b5753c 100644
> --- a/src/hw/tpm_drivers.c
> +++ b/src/hw/tpm_drivers.c
> @@ -620,7 +620,8 @@ tpmhw_transmit(u8 locty, struct tpm_req_header *req,
>           return -1;
>   
>       irc = td->readresp(respbuffer, respbufferlen);
> -    if (irc != 0)
> +    if (irc != 0 ||
> +        *respbufferlen < sizeof(struct tpm_rsp_header))
>           return -1;
>   
>       td->ready();
> 

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-leave@seabios.org

[SeaBIOS] [PATCH 1/2] tpm: Require a response to have minimum size of a valid response header
[SeaBIOS] [PATCH 2/2] tcgbios: Check for enough bytes returned from TPM2_GetCapability