[Skiboot] [PATCH 2/7] secvar/backend: Don't overread data in auth descriptor
Daniel Axtens
dja at axtens.net
Thu Jul 1 22:41:01 AEST 2021
Catch another OOB read picked up by the fuzzer.
Signed-off-by: Daniel Axtens <dja at axtens.net>
---
libstb/secvar/backend/edk2-compat-process.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index dff96446dc48..ab8efd9b2573 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -195,6 +195,9 @@ int get_auth_descriptor2(const void *buf, const size_t buflen, void **auth_buffe
auth_buffer_size = sizeof(auth->timestamp) + sizeof(auth->auth_info.hdr)
+ sizeof(auth->auth_info.cert_type) + len;
+ if (auth_buffer_size > buflen)
+ return OPAL_PARAMETER;
+
*auth_buffer = zalloc(auth_buffer_size);
if (!(*auth_buffer))
return OPAL_NO_MEM;
--
2.30.2
More information about the Skiboot
mailing list