From 1356d6288bc85ae8784daef8d663acef9593d19a Mon Sep 17 00:00:00 2001 From: zaolin Date: Thu, 15 Mar 2018 00:39:55 +0100 Subject: security/tpm: Fix TPM software stack vulnerability * Fix tlcl_read() for TPM 1.2 * https://github.com/nccgroup/TPMGenie Change-Id: I1618b2cc579d189bccca7a781e2bed0976a8b471 Signed-off-by: zaolin Reviewed-on: https://review.coreboot.org/25184 Reviewed-by: Aaron Durbin Tested-by: build bot (Jenkins) --- src/security/tpm/tss/tcg-1.2/tss.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/security/tpm/tss/tcg-1.2/tss.c b/src/security/tpm/tss/tcg-1.2/tss.c index b7b2d94930..161d29f781 100644 --- a/src/security/tpm/tss/tcg-1.2/tss.c +++ b/src/security/tpm/tss/tcg-1.2/tss.c @@ -238,6 +238,8 @@ uint32_t tlcl_read(uint32_t index, void *data, uint32_t length) if (result == TPM_SUCCESS && length > 0) { uint8_t *nv_read_cursor = response + kTpmResponseHeaderLength; from_tpm_uint32(nv_read_cursor, &result_length); + if (result_length > length) + return TPM_E_IOERROR; nv_read_cursor += sizeof(uint32_t); memcpy(data, nv_read_cursor, result_length); } @@ -300,7 +302,8 @@ uint32_t tlcl_get_permanent_flags(TPM_PERMANENT_FLAGS *pflags) if (result != TPM_SUCCESS) return result; from_tpm_uint32(response + kTpmResponseHeaderLength, &size); - assert(size == sizeof(TPM_PERMANENT_FLAGS)); + if (size != sizeof(TPM_PERMANENT_FLAGS)) + return TPM_E_IOERROR; memcpy(pflags, response + kTpmResponseHeaderLength + sizeof(size), sizeof(TPM_PERMANENT_FLAGS)); return result; -- cgit v1.2.3