Re: [PATCH v2] tpm: fix event_size output in tpm1_binary_bios_measurements_show

Mon, 15 Jun 2026 05:07:55 -0700 

On Wed, Jun 10, 2026 at 10:35:47PM +0200, Thorsten Blum wrote:
> On Fri, May 22, 2026 at 03:55:03PM +0300, Jarkko Sakkinen wrote:
> > On Fri, May 22, 2026 at 11:44:38AM +0200, Thorsten Blum wrote:
> > > Commit 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements")
> > > split the output to write the endian-converted event header first and
> > > then the variable-length event data.
> > > 
> > > However, the split was at sizeof(struct tcpa_event) - 1, even though
> > > event_data was a zero-length array, and later a flexible array member,
> > > both of which already excluded the event data.
> > > 
> > > Therefore, the current code writes the first three bytes of event_size
> > > from the endian-converted header and then the last byte from the raw
> > > header, which can emit a corrupted event_size on PPC64, where
> > > do_endian_conversion() maps to be32_to_cpu().
> > > 
> > > Split one byte later to write the full endian-converted header first,
> > > followed by the variable-length event->event_data.
> > > 
> > > Fixes: 186d124f07da ("tpm_eventlog.c: fix binary_bios_measurements")
> > > Cc: [email protected]
> > > Signed-off-by: Thorsten Blum <[email protected]>
> > > ---
> > > Changes in v2:
> > > - Minimal fix without using seq_write()
> > > - v1: 
> > > https://lore.kernel.org/lkml/[email protected]/
> > > ---
> > >  drivers/char/tpm/eventlog/tpm1.c | 4 ++--
> > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/drivers/char/tpm/eventlog/tpm1.c 
> > > b/drivers/char/tpm/eventlog/tpm1.c
> > > index e7913b2853d5..0397e3361020 100644
> > > --- a/drivers/char/tpm/eventlog/tpm1.c
> > > +++ b/drivers/char/tpm/eventlog/tpm1.c
> > > @@ -236,12 +236,12 @@ static int 
> > > tpm1_binary_bios_measurements_show(struct seq_file *m, void *v)
> > >  
> > >   temp_ptr = (char *) &temp_event;
> > >  
> > > - for (i = 0; i < (sizeof(struct tcpa_event) - 1) ; i++)
> > > + for (i = 0; i < sizeof(struct tcpa_event); i++)
> > >           seq_putc(m, temp_ptr[i]);
> > >  
> > >   temp_ptr = (char *) v;
> > >  
> > > - for (i = (sizeof(struct tcpa_event) - 1);
> > > + for (i = sizeof(struct tcpa_event);
> > >        i < (sizeof(struct tcpa_event) + temp_event.event_size); i++)
> > >           seq_putc(m, temp_ptr[i]);
> > >  
> > 
> > This was really good catch, thank you. I'll apply in a minute.
> 
> Has this already been applied somewhere?

My bad, and thanks for pingin! queued

> 
> Thanks,
> Thorsten

BR, Jarkko

Reply via email to