On Fri, Oct 03, 2025 at 09:25:47AM +0000, Shahriyar Jalayeri wrote:
> Ensure tpm_inf_recv() does not overflow the provided buffer when
> the TPM reports more data than the caller expects.
>
> Signed-off-by: Shahriyar Jalayeri <[email protected]>
missing:
Fixes: ebb81fdb3dd0 ("[PATCH] tpm: Support for Infineon TPM")
> ---
> drivers/char/tpm/tpm_infineon.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/drivers/char/tpm/tpm_infineon.c b/drivers/char/tpm/tpm_infineon.c
> index 7638b65b8..eb6dd55ff 100644
> --- a/drivers/char/tpm/tpm_infineon.c
> +++ b/drivers/char/tpm/tpm_infineon.c
> @@ -250,6 +250,12 @@ static int tpm_inf_recv(struct tpm_chip *chip, u8 * buf,
> size_t count)
> number_of_wtx = 0;
>
> recv_begin:
> + if (count < 4) {
> + dev_err(&chip->dev,
> + "count less than the header size!\n");
> + return -EIO;
> + }
Please remove dev_err()
> +
> /* start receiving header */
> for (i = 0; i < 4; i++) {
> ret = wait(chip, STAT_RDA);
> @@ -268,6 +274,12 @@ static int tpm_inf_recv(struct tpm_chip *chip, u8 * buf,
> size_t count)
> /* size of the data received */
> size = ((buf[2] << 8) | buf[3]);
>
> + if (size > count) {
> + dev_err(&chip->dev,
> + "Buffer too small for incoming data!\n");
> + return -EIO;
> + }
Ditto
>
> for (i = 0; i < size; i++) {
> wait(chip, STAT_RDA);
> buf[i] = tpm_data_in(RDFIFO);
> --
> 2.43.0
BR, Jarkko
