[Skiboot] [PATCH v4 1/2] secvar: return error if validate_esl has extra data

Vasant Hegde hegdevasant at linux.vnet.ibm.com
Tue Jul 20 17:33:55 AEST 2021


On 7/13/21 7:30 PM, Nick Child wrote:
> Currently, in `validate_esl_list`, the return code is initialized to zero
> (our success value). While looping though the ESL's in the submitted ESL
> chain, the loop will break if there is not enough data to meet minimum ESL
> requirements. This condition was not setting a return code, meaning that the
> successful return code can pass to the end of the function if there is extra
> data at the end of the ESL. As a consequence, any properly signed update can
> successfully commit any data (as long as it is less than the min size of an
> ESL) to the secvars.
> 
> This commit will return an error if the described condition is met. This
> means all data in the appended ESL of an auth file must be accounted for. No
> extra bytes can be added to the end since, on success, this data will become
> the updated secvar.
> 
> Additionally, a test case has been added to ensure that this commit
> addresses the issue correctly.
> 
> Signed-off-by: Nick Child <nick.child at ibm.com>
> Reviewed-by: Nayna Jain <nayna at linux.ibm.com>
> Tested-by: Nayna Jain <nayna at linux.ibm.com>

Thanks! Merged series to master as of 56658ad4a0.

-Vasant



More information about the Skiboot mailing list