[Skiboot-stable] [PATCH 6.7.x 1/4] secvar/backend: Don't overread data in auth descriptor
Daniel Axtens
dja at axtens.net
Wed Jul 21 14:00:27 AEST 2021
commit 15da2fd447c04a9f6ea53b8f8bdfaa7cbc6ea520 upstream
Catch another OOB read picked up by the fuzzer.
Signed-off-by: Daniel Axtens <dja at axtens.net>
Reviewed-by: Nayna Jain <nayna at linux.ibm.com>
Tested-by: Nayna Jain <nayna at linux.ibm.com>
Signed-off-by: Vasant Hegde <hegdevasant at linux.vnet.ibm.com>
---
libstb/secvar/backend/edk2-compat-process.c | 3 +++
libstb/secvar/test/secvar-test-edk2-compat.c | 19 +++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index c0006a5e908e..99fe10631139 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -192,6 +192,9 @@ int get_auth_descriptor2(const void *buf, const size_t buflen, void **auth_buffe
auth_buffer_size = sizeof(auth->timestamp) + sizeof(auth->auth_info.hdr)
+ sizeof(auth->auth_info.cert_type) + len;
+ if (auth_buffer_size > buflen)
+ return OPAL_PARAMETER;
+
*auth_buffer = zalloc(auth_buffer_size);
if (!(*auth_buffer))
return OPAL_NO_MEM;
diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c
index 100fda7d008d..a3b1613a711a 100644
--- a/libstb/secvar/test/secvar-test-edk2-compat.c
+++ b/libstb/secvar/test/secvar-test-edk2-compat.c
@@ -91,6 +91,7 @@ int run_test()
struct secvar *tmp;
size_t tmp_size;
char empty[64] = {0};
+ void *data;
/* The sequence of test cases here is important to ensure that
* timestamp checks work as expected. */
@@ -253,6 +254,24 @@ int run_test()
ASSERT(NULL != tmp);
ASSERT(0 == tmp->data_size);
+ printf("Try truncated KEK < size of auth structure:\n");
+ data = malloc(1467);
+ memcpy(data, KEK_auth, 1467);
+ tmp = new_secvar("KEK", 4, data, 1467, 0);
+ rc = edk2_compat_validate(tmp);
+ ASSERT(0 == rc);
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(0 != rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("KEK", 4, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 == tmp->data_size);
+ free(data);
+
/* Add valid KEK, .process(), succeeds. */
printf("Add KEK");
tmp = new_secvar("KEK", 4, KEK_auth, KEK_auth_len, 0);
--
2.30.2
More information about the Skiboot-stable
mailing list