[Skiboot] [PATCH v2] libstb: Fix memcpy overread in fakenv_readpublic()
Reza Arbab
arbab at linux.ibm.com
Tue Jun 14 06:42:16 AEST 2022
On Fri, May 27, 2022 at 03:36:51PM -0500, Reza Arbab wrote:
>Caught by `make check` on fedora-rawhide (GCC 12):
>
> libstb/secvar/test/../storage/fakenv_ops.c: In function 'fakenv_readpublic':
> libstb/secvar/test/../storage/fakenv_ops.c:155:17: error: 'memcpy' reading 134 bytes from a region of size 34 [-Werror=stringop-overread]
> 155 | memcpy(&nv_name->t.name, tpmnv_vars_name, sizeof(TPM2B_NAME));
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In file included from libstb/secvar/test/secvar-test-secboot-tpm.c:5:
> libstb/secvar/test/../storage/secboot_tpm.c:35:15: note: source object 'tpmnv_vars_name' of size 34
> 35 | const uint8_t tpmnv_vars_name[] = {
> | ^~~~~~~~~~~~~~~
> libstb/secvar/test/../storage/fakenv_ops.c:158:17: error: 'memcpy' reading 134 bytes from a region of size 34 [-Werror=stringop-overread]
> 158 | memcpy(&nv_name->t.name, tpmnv_control_name, sizeof(TPM2B_NAME));
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> libstb/secvar/test/../storage/secboot_tpm.c:41:15: note: source object 'tpmnv_control_name' of size 34
> 41 | const uint8_t tpmnv_control_name[] = {
> | ^~~~~~~~~~~~~~~~~~
>
>The source and destination of each memcpy have known sizes, and we are
>copying the smaller buffer into the larger one, so change the memcpy
>size to that of the smaller buffer.
Applied to master.
--
Reza Arbab
More information about the Skiboot
mailing list