[Skiboot] [PATCH v2] libstb: Fix memcpy overread in fakenv_readpublic()

Reza Arbab arbab at linux.ibm.com
Tue Jun 14 06:42:16 AEST 2022


On Fri, May 27, 2022 at 03:36:51PM -0500, Reza Arbab wrote:
>Caught by `make check` on fedora-rawhide (GCC 12):
>
>  libstb/secvar/test/../storage/fakenv_ops.c: In function 'fakenv_readpublic':
>  libstb/secvar/test/../storage/fakenv_ops.c:155:17: error: 'memcpy' reading 134 bytes from a region of size 34 [-Werror=stringop-overread]
>    155 |                 memcpy(&nv_name->t.name, tpmnv_vars_name, sizeof(TPM2B_NAME));
>        |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>  In file included from libstb/secvar/test/secvar-test-secboot-tpm.c:5:
>  libstb/secvar/test/../storage/secboot_tpm.c:35:15: note: source object 'tpmnv_vars_name' of size 34
>     35 | const uint8_t tpmnv_vars_name[] = {
>        |               ^~~~~~~~~~~~~~~
>  libstb/secvar/test/../storage/fakenv_ops.c:158:17: error: 'memcpy' reading 134 bytes from a region of size 34 [-Werror=stringop-overread]
>    158 |                 memcpy(&nv_name->t.name, tpmnv_control_name, sizeof(TPM2B_NAME));
>        |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>  libstb/secvar/test/../storage/secboot_tpm.c:41:15: note: source object 'tpmnv_control_name' of size 34
>     41 | const uint8_t tpmnv_control_name[] = {
>        |               ^~~~~~~~~~~~~~~~~~
>
>The source and destination of each memcpy have known sizes, and we are
>copying the smaller buffer into the larger one, so change the memcpy
>size to that of the smaller buffer.

Applied to master.

-- 
Reza Arbab


More information about the Skiboot mailing list