[Skiboot] [PATCH 0/7] Fuzzers and fixes for secure variables
Daniel Axtens
dja at axtens.net
Thu Jul 1 22:40:59 AEST 2021
I hooked up LLVM's libfuzzer to libstb/secvar and found some mostly
minor bugs.
My series applies on top of Nick Child's latest (which fixes some other
bugs that could be found by fuzzing).
Patch 1-4 are bugs in the secvar code. Nothing too major; I think the
worst case would be a DoS. (Although I haven't checked how resilient our
zalloc is to very large inputs which can happen without patch 3)
Patch 5 fixes a bug in our pkcs7 implementation in mbedtls. I think it's
limited to an out-of-bounds read of <8 bytes.
Patch 6 cleans up some code and is correspondingly less urgent.
Patch 7 is the WIP RFC of how I put the fuzzers together and includes
instructions on how to use them yourself. It's not ready to be merged yet.
Daniel Axtens (7):
secvar/backend: Don't overread short variables in validate
secvar/backend: Don't overread data in auth descriptor
secvar/backend: fix an integer underflow bug
secvar/backend: fix a memory leak in get_pkcs7
pkcs7: pkcs7_get_content_info_type should reset *p on error
secvar/backend: get_pkcs7_len should return a signed type
[RFC] secvar: add fuzzers
core/test/stubs.c | 11 +-
libstb/crypto/pkcs7/pkcs7.c | 4 +-
libstb/secvar/backend/edk2-compat-process.c | 26 ++-
libstb/secvar/backend/edk2-compat.c | 3 +
libstb/secvar/test/Makefile.check | 22 ++-
libstb/secvar/test/secvar-fuzz-db.c | 5 +
libstb/secvar/test/secvar-fuzz-dbx.c | 5 +
libstb/secvar/test/secvar-fuzz-pkcs7.c | 23 +++
libstb/secvar/test/secvar-fuzz-setup-mode.c | 4 +
libstb/secvar/test/secvar-generic-fuzz-edk2.c | 177 ++++++++++++++++++
10 files changed, 270 insertions(+), 10 deletions(-)
create mode 100644 libstb/secvar/test/secvar-fuzz-db.c
create mode 100644 libstb/secvar/test/secvar-fuzz-dbx.c
create mode 100644 libstb/secvar/test/secvar-fuzz-pkcs7.c
create mode 100644 libstb/secvar/test/secvar-fuzz-setup-mode.c
create mode 100644 libstb/secvar/test/secvar-generic-fuzz-edk2.c
--
2.30.2
More information about the Skiboot
mailing list