[Skiboot] [PATCH 0/7] Fuzzers and fixes for secure variables

Daniel Axtens dja at axtens.net
Thu Jul 1 22:40:59 AEST 2021

I hooked up LLVM's libfuzzer to libstb/secvar and found some mostly
minor bugs.

My series applies on top of Nick Child's latest (which fixes some other
bugs that could be found by fuzzing).

Patch 1-4 are bugs in the secvar code. Nothing too major; I think the
worst case would be a DoS. (Although I haven't checked how resilient our
zalloc is to very large inputs which can happen without patch 3)

Patch 5 fixes a bug in our pkcs7 implementation in mbedtls. I think it's
limited to an out-of-bounds read of <8 bytes.

Patch 6 cleans up some code and is correspondingly less urgent.

Patch 7 is the WIP RFC of how I put the fuzzers together and includes
instructions on how to use them yourself. It's not ready to be merged yet.

Daniel Axtens (7):
  secvar/backend: Don't overread short variables in validate
  secvar/backend: Don't overread data in auth descriptor
  secvar/backend: fix an integer underflow bug
  secvar/backend: fix a memory leak in get_pkcs7
  pkcs7: pkcs7_get_content_info_type should reset *p on error
  secvar/backend: get_pkcs7_len should return a signed type
  [RFC] secvar: add fuzzers

 core/test/stubs.c                             |  11 +-
 libstb/crypto/pkcs7/pkcs7.c                   |   4 +-
 libstb/secvar/backend/edk2-compat-process.c   |  26 ++-
 libstb/secvar/backend/edk2-compat.c           |   3 +
 libstb/secvar/test/Makefile.check             |  22 ++-
 libstb/secvar/test/secvar-fuzz-db.c           |   5 +
 libstb/secvar/test/secvar-fuzz-dbx.c          |   5 +
 libstb/secvar/test/secvar-fuzz-pkcs7.c        |  23 +++
 libstb/secvar/test/secvar-fuzz-setup-mode.c   |   4 +
 libstb/secvar/test/secvar-generic-fuzz-edk2.c | 177 ++++++++++++++++++
 10 files changed, 270 insertions(+), 10 deletions(-)
 create mode 100644 libstb/secvar/test/secvar-fuzz-db.c
 create mode 100644 libstb/secvar/test/secvar-fuzz-dbx.c
 create mode 100644 libstb/secvar/test/secvar-fuzz-pkcs7.c
 create mode 100644 libstb/secvar/test/secvar-fuzz-setup-mode.c
 create mode 100644 libstb/secvar/test/secvar-generic-fuzz-edk2.c


More information about the Skiboot mailing list