Dear TPM maintainers:
Please have a look at the tpm hwrng driver because it appears to
be returning a length longer than the buffer length that we gave
it. In particular, tpm2 appears to be the culprit (though I didn't
really check tpm1 at all so it could also be buggy).
The following patch hopefully should confirm that this is indeed
caused by TPM and not some other HWRNG driver.
---8<---
If a buggy driver returns a length that is longer than the size
of the buffer provided to it, then this may lead to a buffer overread
in the caller.
Stop this by adding a check for it in the hwrng core.
Reported-by: Guangwu Zhang <guazh...@redhat.com>
Signed-off-by: Herbert Xu <herb...@gondor.apana.org.au>
diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c
index 57c51efa5613..018316f54621 100644
--- a/drivers/char/hw_random/core.c
+++ b/drivers/char/hw_random/core.c
@@ -181,8 +181,15 @@ static inline int rng_get_data(struct hwrng *rng, u8
*buffer, size_t size,
int present;
BUG_ON(!mutex_is_locked(&reading_mutex));
- if (rng->read)
- return rng->read(rng, (void *)buffer, size, wait);
+ if (rng->read) {
+ int err;
+
+ err = rng->read(rng, buffer, size, wait);
+ if (WARN_ON_ONCE(err > 0 && err > size))
+ err = size;
+
+ return err;
+ }
if (rng->data_present)
present = rng->data_present(rng, wait);
--
Email: Herbert Xu <herb...@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
