[Skiboot] [PATCH v2 0/7] Fuzzers and fixes for secure variables

Daniel Axtens dja at axtens.net
Thu Jul 8 17:10:33 AEST 2021


v2: Add tests, thanks Nayna Jain.

I hooked up LLVM's libfuzzer to libstb/secvar and found some mostly
minor bugs.

My series applies on top of Nick Child's fixes (which fix some other
bugs that could be found by fuzzing).

Patch 1-4 are bugs in the secvar code. Nothing too major; I think the
worst case would be a DoS. (Although I haven't checked how resilient our
zalloc is to very large inputs which can happen without patch 3.)

Patch 5 fixes a bug in our pkcs7 implementation in mbedtls. I think it's
limited to an out-of-bounds read of <8 bytes.

Patch 6 cleans up some code and is correspondingly less urgent.

Patch 7 is the WIP RFC of how I put the fuzzers together and includes
instructions on how to use them yourself. It's not ready to be merged yet.

Daniel Axtens (7):
  secvar/backend: Don't overread short variables in validate
  secvar/backend: Don't overread data in auth descriptor
  secvar/backend: fix an integer underflow bug
  secvar/backend: fix a memory leak in get_pkcs7
  pkcs7: pkcs7_get_content_info_type should reset *p on error
  secvar/backend: get_pkcs7_len should return a signed type
  [RFC] secvar: add fuzzers

 core/test/stubs.c                             |  11 +-
 libstb/crypto/pkcs7/pkcs7.c                   |   4 +-
 libstb/secvar/backend/edk2-compat-process.c   |  26 ++-
 libstb/secvar/backend/edk2-compat.c           |   3 +
 libstb/secvar/test/Makefile.check             |  27 ++-
 libstb/secvar/test/data/KEKeslcorrupt.h       | 161 ++++++++++++++++
 libstb/secvar/test/data/KEKpkcs7corrupt.h     | 161 ++++++++++++++++
 libstb/secvar/test/secvar-fuzz-db.c           |   5 +
 libstb/secvar/test/secvar-fuzz-dbx.c          |   5 +
 libstb/secvar/test/secvar-fuzz-pkcs7.c        |  23 +++
 libstb/secvar/test/secvar-fuzz-setup-mode.c   |   4 +
 libstb/secvar/test/secvar-generic-fuzz-edk2.c | 177 ++++++++++++++++++
 libstb/secvar/test/secvar-test-edk2-compat.c  |  61 ++++++
 libstb/secvar/test/secvar-test-pkcs7.c        |  32 ++++
 14 files changed, 689 insertions(+), 11 deletions(-)
 create mode 100644 libstb/secvar/test/data/KEKeslcorrupt.h
 create mode 100644 libstb/secvar/test/data/KEKpkcs7corrupt.h
 create mode 100644 libstb/secvar/test/secvar-fuzz-db.c
 create mode 100644 libstb/secvar/test/secvar-fuzz-dbx.c
 create mode 100644 libstb/secvar/test/secvar-fuzz-pkcs7.c
 create mode 100644 libstb/secvar/test/secvar-fuzz-setup-mode.c
 create mode 100644 libstb/secvar/test/secvar-generic-fuzz-edk2.c
 create mode 100644 libstb/secvar/test/secvar-test-pkcs7.c

-- 
2.30.2



More information about the Skiboot mailing list