mirror of
https://github.com/torvalds/linux
synced 2024-09-22 20:37:18 +00:00
abce9ac292
tpm_write calls tpm_transmit without checking the return value and assigns the return value unconditionally to chip->pending_data, even if it's an error value. This causes three bugs. So if we write to /dev/tpm0 with a tpm_param_size bigger than TPM_BUFSIZE=0x1000 (e.g. 0x100a) and a bufsize also bigger than TPM_BUFSIZE (e.g. 0x100a) tpm_transmit returns -E2BIG which is assigned to chip->pending_data as -7, but tpm_write returns that TPM_BUFSIZE bytes have been successfully been written to the TPM, altough this is not true (bug #1). As we did write more than than TPM_BUFSIZE bytes but tpm_write reports that only TPM_BUFSIZE bytes have been written the vfs tries to write the remaining bytes (in this case 10 bytes) to the tpm device driver via tpm_write which then blocks at /* cannot perform a write until the read has cleared either via tpm_read or a user_read_timer timeout */ while (atomic_read(&chip->data_pending) != 0) msleep(TPM_TIMEOUT); for 60 seconds, since data_pending is -7 and nobody is able to read it (since tpm_read luckily checks if data_pending is greater than 0) (#bug 2). After that the remaining bytes are written to the TPM which are interpreted by the tpm as a normal command. (bug #3) So if the last bytes of the command stream happen to be a e.g. tpm_force_clear this gets accidentally sent to the TPM. This patch fixes all three bugs, by propagating the error code of tpm_write and returning -E2BIG if the input buffer is too big, since the response from the tpm for a truncated value is bogus anyway. Moreover it returns -EBUSY to userspace if there is a response ready to be read. Signed-off-by: Peter Huewe <peter.huewe@infineon.com> Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com> |
||
|---|---|---|
| .. | ||
| agp | ||
| hw_random | ||
| ipmi | ||
| mwave | ||
| pcmcia | ||
| tpm | ||
| xilinx_hwicap | ||
| apm-emulation.c | ||
| applicom.c | ||
| applicom.h | ||
| bfin-otp.c | ||
| bsr.c | ||
| ds1302.c | ||
| ds1620.c | ||
| dsp56k.c | ||
| dtlk.c | ||
| efirtc.c | ||
| generic_nvram.c | ||
| genrtc.c | ||
| hangcheck-timer.c | ||
| hpet.c | ||
| i8k.c | ||
| Kconfig | ||
| lp.c | ||
| Makefile | ||
| mbcs.c | ||
| mbcs.h | ||
| mem.c | ||
| misc.c | ||
| mmtimer.c | ||
| msm_smd_pkt.c | ||
| mspec.c | ||
| nsc_gpio.c | ||
| nvram.c | ||
| nwbutton.c | ||
| nwbutton.h | ||
| nwflash.c | ||
| pc8736x_gpio.c | ||
| ppdev.c | ||
| ps3flash.c | ||
| random.c | ||
| raw.c | ||
| rtc.c | ||
| scx200_gpio.c | ||
| snsc.c | ||
| snsc.h | ||
| snsc_event.c | ||
| sonypi.c | ||
| tb0219.c | ||
| tile-srom.c | ||
| tlclk.c | ||
| toshiba.c | ||
| ttyprintk.c | ||
| uv_mmtimer.c | ||
| virtio_console.c | ||