diff options
author | Daniel Axtens <dja@axtens.net> | 2021-07-21 14:00:27 +1000 |
---|---|---|
committer | Vasant Hegde <hegdevasant@linux.vnet.ibm.com> | 2021-07-22 12:10:27 +0530 |
commit | dfa6c9c7ae178174a0cb48150a96032f657f0609 (patch) | |
tree | f567afe2df71a11e41dfede59d87306e29a18cb8 /libstb | |
parent | 4e403c96a70e987f23902c2122ac520e8f2c3179 (diff) | |
download | skiboot-dfa6c9c7ae178174a0cb48150a96032f657f0609.zip skiboot-dfa6c9c7ae178174a0cb48150a96032f657f0609.tar.gz skiboot-dfa6c9c7ae178174a0cb48150a96032f657f0609.tar.bz2 |
secvar/backend: Don't overread data in auth descriptor
[ Upstream commit 15da2fd447c04a9f6ea53b8f8bdfaa7cbc6ea520 ]
Catch another OOB read picked up by the fuzzer.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Diffstat (limited to 'libstb')
-rw-r--r-- | libstb/secvar/backend/edk2-compat-process.c | 3 | ||||
-rw-r--r-- | libstb/secvar/test/secvar-test-edk2-compat.c | 19 |
2 files changed, 22 insertions, 0 deletions
diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c index c0006a5..99fe106 100644 --- a/libstb/secvar/backend/edk2-compat-process.c +++ b/libstb/secvar/backend/edk2-compat-process.c @@ -192,6 +192,9 @@ int get_auth_descriptor2(const void *buf, const size_t buflen, void **auth_buffe auth_buffer_size = sizeof(auth->timestamp) + sizeof(auth->auth_info.hdr) + sizeof(auth->auth_info.cert_type) + len; + if (auth_buffer_size > buflen) + return OPAL_PARAMETER; + *auth_buffer = zalloc(auth_buffer_size); if (!(*auth_buffer)) return OPAL_NO_MEM; diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c index 100fda7..a3b1613 100644 --- a/libstb/secvar/test/secvar-test-edk2-compat.c +++ b/libstb/secvar/test/secvar-test-edk2-compat.c @@ -91,6 +91,7 @@ int run_test() struct secvar *tmp; size_t tmp_size; char empty[64] = {0}; + void *data; /* The sequence of test cases here is important to ensure that * timestamp checks work as expected. */ @@ -253,6 +254,24 @@ int run_test() ASSERT(NULL != tmp); ASSERT(0 == tmp->data_size); + printf("Try truncated KEK < size of auth structure:\n"); + data = malloc(1467); + memcpy(data, KEK_auth, 1467); + tmp = new_secvar("KEK", 4, data, 1467, 0); + rc = edk2_compat_validate(tmp); + ASSERT(0 == rc); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + ASSERT(0 != rc); + ASSERT(5 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("KEK", 4, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 == tmp->data_size); + free(data); + /* Add valid KEK, .process(), succeeds. */ printf("Add KEK"); tmp = new_secvar("KEK", 4, KEK_auth, KEK_auth_len, 0); |