1. Patchew
  2. linux
  3. View series

[PATCH] tpm: infineon: add bounds check in tpm_inf_recv

Shahriyar Jalayeri posted 1 patch 2 months, 2 weeks ago
There is a newer version of this series
drivers/char/tpm/tpm_infineon.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
[PATCH] tpm: infineon: add bounds check in tpm_inf_recv
Posted by Shahriyar Jalayeri 2 months, 2 weeks ago 
Add two buffer size validations to prevent buffer
overflows in tpm_inf_recv():

1. Validate that the provided buffer can hold at
   least the 4-byte header before attempting to
   read it.
2. Validate that the buffer is large enough to
   hold the data size reported by the TPM before
   reading the payload.

Without these checks, a malicious or malfunctioning
TPM could cause buffer overflows by reporting data
sizes larger than the provided buffer, leading to
memory corruption.

The error messages include both the expected and
actual buffer sizes to indicate that the operation
is aborted.

Signed-off-by: Shahriyar Jalayeri <shahriyar@posteo.de>
---
 drivers/char/tpm/tpm_infineon.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/drivers/char/tpm/tpm_infineon.c b/drivers/char/tpm/tpm_infineon.c
index 7638b65b8..385bac46a 100644
--- a/drivers/char/tpm/tpm_infineon.c
+++ b/drivers/char/tpm/tpm_infineon.c
@@ -247,11 +247,20 @@ static int tpm_inf_recv(struct tpm_chip *chip, u8 * buf, size_t count)
 	int i;
 	int ret;
 	u32 size = 0;
+	u32 header_size = 4;
 	number_of_wtx = 0;
 
 recv_begin:
+	if (count < header_size) {
+		dev_err(&chip->dev,
+			"Buffer too small (count=%zd, header_size=%u), "
+			"operation aborted\n",
+			count, header_size);
+		return -EIO;
+	}
+
 	/* start receiving header */
-	for (i = 0; i < 4; i++) {
+	for (i = 0; i < header_size; i++) {
 		ret = wait(chip, STAT_RDA);
 		if (ret)
 			return -EIO;
@@ -268,6 +277,14 @@ static int tpm_inf_recv(struct tpm_chip *chip, u8 * buf, size_t count)
 		/* size of the data received */
 		size = ((buf[2] << 8) | buf[3]);
 
+		if (size > count) {
+			dev_err(&chip->dev,
+				"Buffer too small for incoming data "
+				"(count=%zd, size=%u), operation aborted\n",
+				count, size);
+			return -EIO;
+		}
+
 		for (i = 0; i < size; i++) {
 			wait(chip, STAT_RDA);
 			buf[i] = tpm_data_in(RDFIFO);
-- 
2.43.0
Re: [PATCH] tpm: infineon: add bounds check in tpm_inf_recv
Posted by Jarkko Sakkinen 2 months, 2 weeks ago 
On Sat, Oct 04, 2025 at 09:04:17AM +0000, Shahriyar Jalayeri wrote:
> Add two buffer size validations to prevent buffer
> overflows in tpm_inf_recv():
> 
> 1. Validate that the provided buffer can hold at
>    least the 4-byte header before attempting to
>    read it.

What is this 4 byte header? Please describe what it is.

> 2. Validate that the buffer is large enough to
>    hold the data size reported by the TPM before
>    reading the payload.
> 
> Without these checks, a malicious or malfunctioning
> TPM could cause buffer overflows by reporting data
> sizes larger than the provided buffer, leading to
> memory corruption.
> 
> The error messages include both the expected and
> actual buffer sizes to indicate that the operation
> is aborted.

Paragraphs should be 75 chars per line.

> 
> Signed-off-by: Shahriyar Jalayeri <shahriyar@posteo.de>
> ---

Please version your patches e.g., "git format-patch -v2"

And before diff stat it would be good to have a changelog.


>  drivers/char/tpm/tpm_infineon.c | 19 ++++++++++++++++++-
>  1 file changed, 18 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/char/tpm/tpm_infineon.c b/drivers/char/tpm/tpm_infineon.c
> index 7638b65b8..385bac46a 100644
> --- a/drivers/char/tpm/tpm_infineon.c
> +++ b/drivers/char/tpm/tpm_infineon.c
> @@ -247,11 +247,20 @@ static int tpm_inf_recv(struct tpm_chip *chip, u8 * buf, size_t count)
>  	int i;
>  	int ret;
>  	u32 size = 0;
> +	u32 header_size = 4;

Please don't use local variable for a constant.


>  	number_of_wtx = 0;
>  
>  recv_begin:
> +	if (count < header_size) {
> +		dev_err(&chip->dev,
> +			"Buffer too small (count=%zd, header_size=%u), "
> +			"operation aborted\n",
> +			count, header_size);
> +		return -EIO;
> +	}
> +
>  	/* start receiving header */
> -	for (i = 0; i < 4; i++) {
> +	for (i = 0; i < header_size; i++) {
>  		ret = wait(chip, STAT_RDA);
>  		if (ret)
>  			return -EIO;
> @@ -268,6 +277,14 @@ static int tpm_inf_recv(struct tpm_chip *chip, u8 * buf, size_t count)
>  		/* size of the data received */
>  		size = ((buf[2] << 8) | buf[3]);
>  
> +		if (size > count) {
> +			dev_err(&chip->dev,
> +				"Buffer too small for incoming data "
> +				"(count=%zd, size=%u), operation aborted\n",
> +				count, size);
> +			return -EIO;
> +		}
> +
>  		for (i = 0; i < size; i++) {
>  			wait(chip, STAT_RDA);
>  			buf[i] = tpm_data_in(RDFIFO);
> -- 
> 2.43.0
> 

Other than that, same comments apply as for the previous version.

BR, Jarkko

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.