diff options
| author | Daniel Axtens <dja@axtens.net> | 2021-07-21 14:00:27 +1000 |
|---|---|---|
| committer | Vasant Hegde <hegdevasant@linux.vnet.ibm.com> | 2021-07-22 11:25:57 +0530 |
| commit | af351fe7941da32e8f7c801edb56683a95c6280c (patch) | |
| tree | 571d9592cdec5927dcef2fc486e332102246bde4 | |
| parent | 6f33c010e5c5e12dc0035232e96eb7b6c5cdf9df (diff) | |
| download | skiboot-af351fe7941da32e8f7c801edb56683a95c6280c.zip skiboot-af351fe7941da32e8f7c801edb56683a95c6280c.tar.gz skiboot-af351fe7941da32e8f7c801edb56683a95c6280c.tar.bz2 | |
secvar/backend: Don't overread data in auth descriptor
[ Upstream commit 15da2fd447c04a9f6ea53b8f8bdfaa7cbc6ea520 ]
Catch another OOB read picked up by the fuzzer.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
| -rw-r--r-- | libstb/secvar/backend/edk2-compat-process.c | 3 | ||||
| -rw-r--r-- | libstb/secvar/test/secvar-test-edk2-compat.c | 19 |
2 files changed, 22 insertions, 0 deletions
diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c index c0006a5..99fe106 100644 --- a/libstb/secvar/backend/edk2-compat-process.c +++ b/libstb/secvar/backend/edk2-compat-process.c @@ -192,6 +192,9 @@ int get_auth_descriptor2(const void *buf, const size_t buflen, void **auth_buffe auth_buffer_size = sizeof(auth->timestamp) + sizeof(auth->auth_info.hdr) + sizeof(auth->auth_info.cert_type) + len; + if (auth_buffer_size > buflen) + return OPAL_PARAMETER; + *auth_buffer = zalloc(auth_buffer_size); if (!(*auth_buffer)) return OPAL_NO_MEM; diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c index 100fda7..a3b1613 100644 --- a/libstb/secvar/test/secvar-test-edk2-compat.c +++ b/libstb/secvar/test/secvar-test-edk2-compat.c @@ -91,6 +91,7 @@ int run_test() struct secvar *tmp; size_t tmp_size; char empty[64] = {0}; + void *data; /* The sequence of test cases here is important to ensure that * timestamp checks work as expected. */ @@ -253,6 +254,24 @@ int run_test() ASSERT(NULL != tmp); ASSERT(0 == tmp->data_size); + printf("Try truncated KEK < size of auth structure:\n"); + data = malloc(1467); + memcpy(data, KEK_auth, 1467); + tmp = new_secvar("KEK", 4, data, 1467, 0); + rc = edk2_compat_validate(tmp); + ASSERT(0 == rc); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + ASSERT(0 != rc); + ASSERT(5 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("KEK", 4, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 == tmp->data_size); + free(data); + /* Add valid KEK, .process(), succeeds. */ printf("Add KEK"); tmp = new_secvar("KEK", 4, KEK_auth, KEK_auth_len, 0); |