[Skiboot] [PATCH v3 1/4] secvar/backend: Don't overread data in auth descriptor

Daniel Axtens dja at axtens.net
Wed Jul 14 12:57:12 AEST 2021


Catch another OOB read picked up by the fuzzer.

Signed-off-by: Daniel Axtens <dja at axtens.net>
---
 libstb/secvar/backend/edk2-compat-process.c  |  3 +++
 libstb/secvar/test/secvar-test-edk2-compat.c | 19 +++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index dff96446dc48..ab8efd9b2573 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -195,6 +195,9 @@ int get_auth_descriptor2(const void *buf, const size_t buflen, void **auth_buffe
 	auth_buffer_size = sizeof(auth->timestamp) + sizeof(auth->auth_info.hdr)
 			   + sizeof(auth->auth_info.cert_type) + len;
 
+	if (auth_buffer_size > buflen)
+		return OPAL_PARAMETER;
+
 	*auth_buffer = zalloc(auth_buffer_size);
 	if (!(*auth_buffer))
 		return OPAL_NO_MEM;
diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c
index 3532eb6247d3..85333178f16c 100644
--- a/libstb/secvar/test/secvar-test-edk2-compat.c
+++ b/libstb/secvar/test/secvar-test-edk2-compat.c
@@ -92,6 +92,7 @@ int run_test()
 	struct secvar *tmp;
 	size_t tmp_size;
 	char empty[64] = {0};
+	void *data;
 
 	/* The sequence of test cases here is important to ensure that
 	 * timestamp checks work as expected. */
@@ -254,6 +255,24 @@ int run_test()
 	ASSERT(NULL != tmp);
 	ASSERT(0 == tmp->data_size);
 
+	printf("Try truncated KEK < size of auth structure:\n");
+	data = malloc(1467);
+	memcpy(data, KEK_auth, 1467);
+	tmp = new_secvar("KEK", 4, data, 1467, 0);
+	rc = edk2_compat_validate(tmp);
+	ASSERT(0 == rc);
+	list_add_tail(&update_bank, &tmp->link);
+	ASSERT(1 == list_length(&update_bank));
+
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	ASSERT(0 != rc);
+	ASSERT(5 == list_length(&variable_bank));
+	ASSERT(0 == list_length(&update_bank));
+	tmp = find_secvar("KEK", 4, &variable_bank);
+	ASSERT(NULL != tmp);
+	ASSERT(0 == tmp->data_size);
+	free(data);
+
 	/* Add valid KEK, .process(), succeeds. */
 	printf("Add KEK");
 	tmp = new_secvar("KEK", 4, KEK_auth, KEK_auth_len, 0);
-- 
2.30.2



More information about the Skiboot mailing list