security/tpm: Fix TPM software stack vulnerability

* Fix tlcl_read() for TPM 1.2 * https://github.com/nccgroup/TPMGenie Change-Id: I1618b2cc579d189bccca7a781e2bed0976a8b471 Signed-off-by: zaolin <zaolin@das-labor.org> Reviewed-on: https://review.coreboot.org/25184 Reviewed-by: Aaron Durbin <adurbin@chromium.org> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
author: zaolin <zaolin@das-labor.org> 2018-03-15 00:39:55 +0100
committer: Martin Roth <martinroth@google.com> 2018-03-16 04:13:26 +0000
commit: 1356d6288bc85ae8784daef8d663acef9593d19a (patch)
tree: caa0e0c1ff1976d3d5b8730d111a38b3b699dc86
parent: 4e0b47a5ed4c305ff158e8264a60e78e1775ea56 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/src/security/tpm/tss/tcg-1.2/tss.c b/src/security/tpm/tss/tcg-1.2/tss.c
index b7b2d94930..161d29f781 100644
--- a/src/security/tpm/tss/tcg-1.2/tss.c
+++ b/src/security/tpm/tss/tcg-1.2/tss.c
@@ -238,6 +238,8 @@ uint32_t tlcl_read(uint32_t index, void *data, uint32_t length)
 	if (result == TPM_SUCCESS && length > 0) {
 		uint8_t *nv_read_cursor = response + kTpmResponseHeaderLength;
 		from_tpm_uint32(nv_read_cursor, &result_length);
+		if (result_length > length)
+			return TPM_E_IOERROR;
 		nv_read_cursor += sizeof(uint32_t);
 		memcpy(data, nv_read_cursor, result_length);
 	}
@@ -300,7 +302,8 @@ uint32_t tlcl_get_permanent_flags(TPM_PERMANENT_FLAGS *pflags)
 	if (result != TPM_SUCCESS)
 		return result;
 	from_tpm_uint32(response + kTpmResponseHeaderLength, &size);
-	assert(size == sizeof(TPM_PERMANENT_FLAGS));
+	if (size != sizeof(TPM_PERMANENT_FLAGS))
+		return TPM_E_IOERROR;
 	memcpy(pflags, response + kTpmResponseHeaderLength + sizeof(size),
 	       sizeof(TPM_PERMANENT_FLAGS));
 	return result;
author	zaolin <zaolin@das-labor.org>	2018-03-15 00:39:55 +0100
committer	Martin Roth <martinroth@google.com>	2018-03-16 04:13:26 +0000
commit	1356d6288bc85ae8784daef8d663acef9593d19a (patch)
tree	caa0e0c1ff1976d3d5b8730d111a38b3b699dc86
parent	4e0b47a5ed4c305ff158e8264a60e78e1775ea56 (diff)