From 94a409c2588cdca6cd82e7a98a8913cbefceab6f Mon Sep 17 00:00:00 2001
From: Raymond Mao <raymond.mao@linaro.org>
Date: Tue, 11 Feb 2025 13:23:07 -0800
Subject: [PATCH] tpm: add checker for pcr count

Add bound checking for pcr count before using it.

Addresses-Coverity-ID: 541280: Insecure data handling (TAINTED_SCALAR)
Addresses-Coverity-ID: 541281: Insecure data handling (TAINTED_SCALAR)
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
---
 cmd/tpm-v2.c | 3 +++
 lib/tpm-v2.c | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/cmd/tpm-v2.c b/cmd/tpm-v2.c
index a62862e94f9..a21b6a73a95 100644
--- a/cmd/tpm-v2.c
+++ b/cmd/tpm-v2.c
@@ -304,6 +304,9 @@ static int do_tpm2_pcrallocate(struct cmd_tbl *cmdtp, int flag, int argc,
 		if (ret)
 			return ret;
 
+		if (pcr.count > TPM2_NUM_PCR_BANKS)
+			return -EINVAL;
+
 		for (i = 0; i < pcr.count; i++) {
 			struct tpms_pcr_selection *sel = &pcr.selection[i];
 			const char *name;
diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
index 9ca7933c094..e4aa2415825 100644
--- a/lib/tpm-v2.c
+++ b/lib/tpm-v2.c
@@ -74,6 +74,9 @@ int tpm2_scan_masks(struct udevice *dev, u32 log_active, u32 *mask)
 	if (rc)
 		return rc;
 
+	if (pcrs.count > TPM2_NUM_PCR_BANKS)
+		return TPM_LIB_ERROR;
+
 	for (i = 0; i < pcrs.count; i++) {
 		struct tpms_pcr_selection *sel = &pcrs.selection[i];
 		size_t j;