Re: [PATCH 1/3] KEYS: asym_tpm: fix buffer overreads in extract_key_parameters()

On Thu, Jan 13, 2022 at 03:54:38PM -0800, Eric Biggers wrote:

From: Eric Biggers ebiggers@google.com

extract_key_parameters() can read past the end of the input buffer due to buggy and missing bounds checks. Fix it as follows:

• Before reading each key length field, verify that there are at least 4 bytes remaining.

Maybe start with a "Key length is described as an unsigned 32-bit integer in the TPM header". Just for clarity.

• Avoid integer overflows when validating size fields; 'sz + 12' and '4 + sz' overflowed if 'sz' is near U32_MAX.

So we have a struct tpm_header in include/linux/tpm.h. It would be way more informative to use sizeof(struct tpm_header) than number 12, even if the patch does not otherwise use the struct. It tells what it is, 12 does not.

• Before saving the pointer to the public key, check that it doesn't run past the end of the buffer.

Fixes: f8c54e1ac4b8 ("KEYS: asym_tpm: extract key size & public key [ver #2]") Cc: stable@vger.kernel.org # v4.20+ Signed-off-by: Eric Biggers ebiggers@google.com

BR, Jarkko