Address out-of-bounds issue when using TPM SPI interface
Bug #2067429 reported by
Brad Figg
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-nvidia (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The TPM SPI transfer mechanism uses MAX_SPI_FRAMESIZE for computing the
maximum transfer length and the size of the transfer buffer. As such, it
does not account for the 4 bytes of header that prepends the SPI data
frame. This can result in out-of-bounds accesses and was confirmed with
KASAN.
Introduce SPI_HDRSIZE to account for the header and use to allocate the
transfer buffer.
CVE References
To post a comment you must log in.
This bug is awaiting verification that the linux-nvidia- 6.5/6.5. 0-1021. 22 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- jammy-linux- nvidia- 6.5' to 'verification- done-jammy- linux-nvidia- 6.5'. If the problem still exists, change the tag 'verification- needed- jammy-linux- nvidia- 6.5' to 'verification- failed- jammy-linux- nvidia- 6.5'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!