phosphor-host-ipmid will crash on aarch64

William Kennington wak at google.com
Thu May 20 12:42:17 AEST 2021


Looks like it could crash if the file was generated on a 32-bit system
then updates, or if the file is created without data and read by the
handler. It's definitely missing some sanity checks. Given that it's
serializing data to disk, it really should have used fixed sizes.

On Wed, May 19, 2021 at 7:37 PM Patrick Williams <patrick at stwcx.xyz> wrote:
>
> On Mon, May 17, 2021 at 03:21:14AM +0000, CS20 CTCchien wrote:
> > Hi Rthomaiy,  Vmauery,  Pstrinkle, Jayaprakashmutyala,
> >
> > When I build phosphor-host-ipmid for aarch64 platform, size_t will be 8 bytes, but in aarch32 sizte_t will be 4 bytes, so ipmid will crash at https://github.com/openbmc/phosphor-host-ipmid/blob/master/user_channel/passwd_mgr.cpp#L323, due to the data size of hashsize and ivsize and padsize and macsize is 4 bytes in /etc/ipmi_pass, but ipmid will read those data as 8 bytes.
>
> Why does the data end up being only 4 bytes in the file?  As best I can
> tell line 538 is where the data is written and it also uses
> sizeof(MetaPassStruct) to determine the amount to write.
>
> > /*
> > * Meta data struct for encrypted password file
> > */
> > struct MetaPassStruct
> > {
> >     char signature[10];
> >     unsigned char reseved[2];
> >     size_t hashSize;
> >     size_t ivSize;
> >     size_t dataSize;
> >     size_t padSize;
> >     size_t macSize;
> > };
> >
> > If I replace size_t in this structure with unsigned int, then ipmid will not crash at this point.
>
> We generally want to use 'size_t' for things which are sizes.  The code
> here is a little dangerous in that it is doing a raw cast to/from the
> in-memory structure rather than doing a real serialization.
>
> I'm not really seeing where the code is inconsistent with itself though
> that would contribut to a crash.
>
> > But those fields in this structure are also used to store the return value from other functions, like EVP_MD_block_size(),
> > And the return type is also size_t.
> >
> --
> Patrick Williams


More information about the openbmc mailing list