diff options
author | Daniel Axtens <dja@axtens.net> | 2021-07-14 12:57:12 +1000 |
---|---|---|
committer | Vasant Hegde <hegdevasant@linux.vnet.ibm.com> | 2021-07-20 11:07:36 +0530 |
commit | 15da2fd447c04a9f6ea53b8f8bdfaa7cbc6ea520 (patch) | |
tree | f6a891c2dd15ec7abf0813fea4edcc74733520ad /libstb/secvar/test/secvar-test-edk2-compat.c | |
parent | 56658ad4a0249cdf516e6bc21781cce901965998 (diff) | |
download | skiboot-15da2fd447c04a9f6ea53b8f8bdfaa7cbc6ea520.zip skiboot-15da2fd447c04a9f6ea53b8f8bdfaa7cbc6ea520.tar.gz skiboot-15da2fd447c04a9f6ea53b8f8bdfaa7cbc6ea520.tar.bz2 |
secvar/backend: Don't overread data in auth descriptor
Catch another OOB read picked up by the fuzzer.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Diffstat (limited to 'libstb/secvar/test/secvar-test-edk2-compat.c')
-rw-r--r-- | libstb/secvar/test/secvar-test-edk2-compat.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c index 65ed549..f230542 100644 --- a/libstb/secvar/test/secvar-test-edk2-compat.c +++ b/libstb/secvar/test/secvar-test-edk2-compat.c @@ -92,6 +92,7 @@ int run_test() struct secvar *tmp; size_t tmp_size; char empty[64] = {0}; + void *data; /* The sequence of test cases here is important to ensure that * timestamp checks work as expected. */ @@ -254,6 +255,24 @@ int run_test() ASSERT(NULL != tmp); ASSERT(0 == tmp->data_size); + printf("Try truncated KEK < size of auth structure:\n"); + data = malloc(1467); + memcpy(data, KEK_auth, 1467); + tmp = new_secvar("KEK", 4, data, 1467, 0); + rc = edk2_compat_validate(tmp); + ASSERT(0 == rc); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + ASSERT(0 != rc); + ASSERT(5 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("KEK", 4, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 == tmp->data_size); + free(data); + /* Add valid KEK, .process(), succeeds. */ printf("Add KEK"); tmp = new_secvar("KEK", 4, KEK_auth, KEK_auth_len, 0); |