Jeremy Boone 72686d527c tpm_tis: fix potential buffer overruns caused by bit glitches on the bus ... commit 6bb320ca4a upstream. Discrete TPMs are often connected over slow serial buses which, on some platforms, can have glitches causing bit flips. In all the driver _recv() functions, we need to use a u32 to unmarshal the response size, otherwise a bit flip of the 31st bit would cause the expected variable to go negative, which would then try to read a huge amount of data. Also sanity check that the expected amount of data is large enough for the TPM header. Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: James Morris <james.morris@microsoft.com> [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>		2018-06-01 00:30:19 +01:00
..
agp	agp/intel: Fix typo in needs_ilk_vtd_wa()	2015-08-12 16:33:17 +02:00
hw_random	virtio: rng: disallow multiple device registrations, fixes crashes	2013-03-20 15:03:31 +00:00
ipmi	ipmi: fix timeout calculation when bmc is disconnected	2016-06-15 21:28:10 +01:00
mwave	Fix common misspellings	2011-03-31 11:26:23 -03:00
pcmcia	pcmcia: Convert pcmcia_device_id declarations to const	2011-05-06 07:46:22 +02:00
tpm	tpm_tis: fix potential buffer overruns caused by bit glitches on the bus	2018-06-01 00:30:19 +01:00
xilinx_hwicap	treewide: Convert uses of struct resource to resource_size(ptr)	2011-06-10 14:55:36 +02:00
apm-emulation.c	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial	2011-10-25 12:11:02 +02:00
applicom.c	applicom: dereferencing NULL on error path	2014-08-06 18:07:41 +01:00
applicom.h
bfin-otp.c	llseek: automatically add .llseek fop	2010-10-15 15:53:27 +02:00
briq_panel.c	BKL: remove extraneous #include <smp_lock.h>	2010-11-17 08:59:32 -08:00
bsr.c	treewide: Convert uses of struct resource to resource_size(ptr)	2011-06-10 14:55:36 +02:00
ds1302.c	Merge branch 'llseek' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl	2010-10-22 10:52:56 -07:00
ds1620.c	Merge branch 'llseek' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl	2010-10-22 10:52:56 -07:00
dsp56k.c	Merge branch 'llseek' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl	2010-10-22 10:52:56 -07:00
dtlk.c	Merge branch 'llseek' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl	2010-10-22 10:52:56 -07:00
efirtc.c
generic_nvram.c	drivers: fix up various ->llseek() implementations	2011-07-20 20:47:58 -04:00
genrtc.c	Merge branch 'llseek' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl	2010-10-22 10:52:56 -07:00
hangcheck-timer.c	Input: sysrq - drop tty argument form handle_sysrq()	2010-08-21 00:34:45 -07:00
hpet.c	vm: convert HPET mmap to vm_iomap_memory() helper	2013-05-13 15:02:34 +01:00
i8k.c	hwmon: (dell-smm) Restrict fan control and serial number to CAP_SYS_ADMIN by default	2016-08-22 22:37:15 +01:00
Kconfig	char: Drop bogus dependency of DEVPORT on !M68K	2016-08-22 22:37:09 +01:00
lp.c	char: lp: fix possible integer overflow in lp_setup()	2017-07-18 18:38:45 +01:00
Makefile	arch/tile: add hypervisor-based character driver for SPI flash ROM	2011-06-10 13:07:48 -04:00
mbcs.c	drivers: autoconvert trivial BKL users to private mutex	2010-10-05 15:01:04 +02:00
mbcs.h	Fix common misspellings	2011-03-31 11:26:23 -03:00
mem.c	drivers: char: mem: Fix wraparound check to allow mappings up to the end	2017-09-15 18:30:49 +01:00
misc.c	llseek: automatically add .llseek fop	2010-10-15 15:53:27 +02:00
mmtimer.c	posix-timers: Cleanup namespace	2011-02-02 15:28:19 +01:00
msm_smd_pkt.c	drivers/char/msm_smd_pkt.c: don't use IS_ERR()	2011-08-25 16:25:33 -07:00
mspec.c	Redefine ATOMIC_INIT and ATOMIC64_INIT to drop the casts	2012-08-10 00:24:54 +01:00
nsc_gpio.c
nvram.c	drivers: fix up various ->llseek() implementations	2011-07-20 20:47:58 -04:00
nwbutton.c	Fix common misspellings	2011-03-31 11:26:23 -03:00
nwbutton.h
nwflash.c	drivers: autoconvert trivial BKL users to private mutex	2010-10-05 15:01:04 +02:00
pc8736x_gpio.c	llseek: automatically add .llseek fop	2010-10-15 15:53:27 +02:00
ppdev.c	drivers/char/ppdev.c: put gotten port value	2011-05-26 17:12:37 -07:00
ps3flash.c	drivers/char: Add module.h to those who were using it implicitly	2011-10-31 19:31:40 -04:00
ramoops.c	ramoops: fix use of rounddown_pow_of_two()	2013-01-03 03:33:59 +00:00
random.c	random: add and use memzero_explicit() for clearing data	2014-12-14 16:23:49 +00:00
raw.c	raw: test against runtime value of max_raw_minors	2014-04-02 00:58:49 +01:00
rtc.c	drivers/char/rtc: use printk_ratelimited instead of printk_ratelimit	2011-09-15 14:05:25 +02:00
scx200_gpio.c	llseek: automatically add .llseek fop	2010-10-15 15:53:27 +02:00
snsc_event.c	include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h	2010-03-30 22:02:32 +09:00
snsc.c	Merge branch 'llseek' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl	2010-10-22 10:52:56 -07:00
snsc.h	headers: kobject.h redux	2011-01-10 08:51:44 -08:00
sonypi.c	Fix common misspellings	2011-03-31 11:26:23 -03:00
tb0219.c	llseek: automatically add .llseek fop	2010-10-15 15:53:27 +02:00
tile-srom.c	arch/tile: add hypervisor-based character driver for SPI flash ROM	2011-06-10 13:07:48 -04:00
tlclk.c	Merge branch 'llseek' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl	2010-10-22 10:52:56 -07:00
toshiba.c	Merge branch 'llseek' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl	2010-10-22 10:52:56 -07:00
ttyprintk.c	TTY: ttyprintk, don't touch behind tty->write_buf	2012-10-17 03:48:10 +01:00
uv_mmtimer.c	BKL: remove extraneous #include <smp_lock.h>	2010-11-17 08:59:32 -08:00
viotape.c	Merge branch 'llseek' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl	2010-10-22 10:52:56 -07:00
virtio_console.c	virtio_console: avoid config access from irq	2015-05-09 23:16:26 +01:00