diff options
author | Nick Child <nnac123@gmail.com> | 2021-07-20 12:04:58 -0400 |
---|---|---|
committer | Vasant Hegde <hegdevasant@linux.vnet.ibm.com> | 2021-07-22 12:09:53 +0530 |
commit | ed764f33ab62d6357a7439992a3f547b755f6e6e (patch) | |
tree | aa70f61eab424b62a5b3fb90df4cc29a74b5806c /libstb/drivers | |
parent | 5eea157271852eaf16c59ef542a889ea6563a2d6 (diff) | |
download | skiboot-ed764f33ab62d6357a7439992a3f547b755f6e6e.zip skiboot-ed764f33ab62d6357a7439992a3f547b755f6e6e.tar.gz skiboot-ed764f33ab62d6357a7439992a3f547b755f6e6e.tar.bz2 |
secvar: ensure ESL buf size is at least what ESL header expects
[ Upstream commit 8a31163a0271f11b4597bca4e803f559e38e3d24 ]
Currently, `get_esl_cert` receives a data buffer containing an ESL and its
length. It is to return a data buffer of the certificate that is contained
inside the ESL. The ESL has header info that contains the certificates
`size` and the size of the header (`sig_data_offset`). We use this
information to copy `size` bytes starting `sig_data_offset` bytes after the
given ESL buffer. Currently we are checking that the length of the ESL
buffer is at least `sig_data_offset` bytes but we are not checking that it
also has enough bytes to also contain `size` bytes of the certificate. This
becomes problematic if some data at the end of the ESL gets lost. Since the
ESL claims it has more than it actually does, this will lead to a buffer
over-read. What is even worse, is that this buffer over-read can go
unnoticed since the last 256 bytes of the ESL are usually the x509 2048 bit
signature so the extra garbage bytes that are copied will appear to be a
valid rsa signature.
To resolve this, this commit ensures that the ESL buffer length is large
enough to hold the data that it claims it contains.
Lastly, a new test case is added to test the described condition. It
includes a new test file `trimmedKEK.h` which contains a struct a valid KEK
auth file minus 5 bytes, therefore making it invalid.
Fixes: 87562bc5c1a6 ("secvar/backend: add edk2 derived key updates processing")
Signed-off-by: Nick Child <nick.child@ibm.com>
Reviewed-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Diffstat (limited to 'libstb/drivers')
0 files changed, 0 insertions, 0 deletions