Dev news

Commit c6d77ba44a for qemu.org

commit c6d77ba44aebb5cbb9f20e75d890134947a785df
Author: Stefan Berger <stefanb@linux.vnet.ibm.com>
Date:   Mon May 11 14:22:17 2026 +0000

    tpm_emulator: Reject a buffer size different than what was requested

    When the TIS, SPAPR, or CRB frontends negotiate a buffer size with the
    TPM backend, then the tpm_emulator (swtpm) could still adjust this size
    of the buffer to within bounds supported by swtpm+libtpms if the chosen
    size was outside the acceptable range. This could theoretically lead to
    the TPM 2 using a bigger buffer than what was requested and memory
    allocated for. In practice this would not happend since the requested size
    of 4096 bytes for TIS and SPAPR and 3968 bytes for CRB happen in the
    (currently) supported range of ~2.5kb to 4096 bytes. With PQC support
    the range will have an upper bound of 8kb and a lower bound that will
    support the (pre-PQC) CRB with 3968 bytes.

    Fixes: 9375c44fdfc0 ("tpm: tpm_emulator: get and set buffer size of device")
    Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
    Link: https://lore.kernel.org/qemu-devel/20260511142219.797048-2-stefanb@linux.ibm.com
    Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

diff --git a/backends/tpm/tpm_emulator.c b/backends/tpm/tpm_emulator.c
index 75c33d290e..ac5427b84e 100644
--- a/backends/tpm/tpm_emulator.c
+++ b/backends/tpm/tpm_emulator.c
@@ -364,6 +364,7 @@ static int tpm_emulator_set_buffer_size(TPMBackend *tb,
 {
     TPMEmulator *tpm_emu = TPM_EMULATOR(tb);
     ptm_setbuffersize psbs;
+    size_t tpm_buffersize;

     if (tpm_emulator_stop_tpm(tb, errp) < 0) {
         return -1;
@@ -387,8 +388,18 @@ static int tpm_emulator_set_buffer_size(TPMBackend *tb,
         return -1;
     }

+    tpm_buffersize = be32_to_cpu(psbs.u.resp.buffersize);
+    /* Reject different buffer size used by the TPM than what was requested. */
+    if (wanted_size != 0 && wanted_size != tpm_buffersize) {
+        error_setg(errp,
+                   "tpm-emulator: TPM did not accept the requested buffer size "
+                   "of %zu bytes but adjusted it to %zu bytes",
+                   wanted_size, tpm_buffersize);
+        return -1;
+    }
+
     if (actual_size) {
-        *actual_size = be32_to_cpu(psbs.u.resp.buffersize);
+        *actual_size = tpm_buffersize;
     }

     trace_tpm_emulator_set_buffer_size(