[Skiboot] [PATCH v3 1/2] secvar: ensure ESL buf size is at least what ESL header expects

Vasant Hegde hegdevasant at linux.vnet.ibm.com
Tue Jul 20 01:50:06 AEST 2021


On 7/2/21 12:28 AM, Nick Child wrote:
> Currently, `get_esl_cert` receives a data buffer containing an ESL and its
> length. It is to return a data buffer of the certificate that is contained
> inside the ESL. The ESL has header info that contains the certificates
> `size`  and the size of the header (`sig_data_offset`). We use this
> information to copy `size` bytes starting `sig_data_offset` bytes after the
> given ESL buffer. Currently we are checking that the length of the ESL
> buffer is at least `sig_data_offset` bytes but we are not checking that it
> also has enough bytes to also contain `size` bytes of the certificate. This
> becomes problematic if some data at the end of the ESL gets lost. Since the
> ESL claims it has more than it actually does, this will lead to a buffer
> over-read. What is even worse, is that this buffer over-read can go
> unnoticed since the last 256 bytes of the ESL are usually the x509 2048 bit
> signature so the extra garbage bytes that are copied will appear to be a
> valid rsa signature.
> 
> To resolve this, this commit ensures that the ESL buffer length is large
> enough to hold the data that it claims it contains.
> 
> Lastly, a new test case is added to test the described condition. It
> includes a new test file `trimmedKEK.h` which contains a struct a valid KEK
> auth file minus 5 bytes, therefore making it invalid.
> 
> Signed-off-by: Nick Child <nick.child at ibm.com>
> Reviewed-by: Daniel Axtens <dja at axtens.net>
> Reviewed-by: Nayna Jain <nayna at linux.ibm.com>
> Tested-by: Nayna Jain <nayna at linux.ibm.com>

Thanks! Merged series to master as of 0917fd18ac.

-Vasant



More information about the Skiboot mailing list