From patchwork Wed Jul 21 04:00:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Axtens X-Patchwork-Id: 1507897 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org; envelope-from=skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=gswiguQv; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GV3lG5Qqsz9sWX for ; Wed, 21 Jul 2021 15:18:34 +1000 (AEST) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4GV3lG4BTLz30D9 for ; Wed, 21 Jul 2021 15:18:34 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=gswiguQv; dkim-atps=neutral X-Original-To: skiboot-stable@lists.ozlabs.org Delivered-To: skiboot-stable@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::636; helo=mail-pl1-x636.google.com; envelope-from=dja@axtens.net; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=gswiguQv; dkim-atps=neutral Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4GV21Q296Hz2yht for ; Wed, 21 Jul 2021 14:00:42 +1000 (AEST) Received: by mail-pl1-x636.google.com with SMTP id h1so320329plf.6 for ; Tue, 20 Jul 2021 21:00:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=D1D9VJflHsPb3awZQkaHJus2eMm1sS7/ujfkhbeP0wk=; b=gswiguQv3kQ2VUzilozkDqOjenmY9B9qzfdo2zwFtyiSe7lz/mhMR2QQvbLfJR+Ypf FeBpV9kfGw8m8TU4Ws/pX1ce2DOe0A/7DOD1fZsVJ/rRm7I40+3zfOqFK0b+JAW2RXaj uG8qV4NM/Wx4D0xOfhhLuUlH5tc1BKSOhfB0k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=D1D9VJflHsPb3awZQkaHJus2eMm1sS7/ujfkhbeP0wk=; b=RUW/F9DLM8FyNMsl+Mk0S/OXP35Cmr1gEJ9QlUrc/FkP8yuTiA4p3EOdo8tJkdsMf/ E++3SzoSXywUelG/3DJUUxRughRe4SBpXAPyvqWt/R+jA9mXgcTw8l3ZxbwaJYreSep1 lv6+guvhbo36lXnkjAdrToPoMCQ41IB9OygZLmCy3KrCKjIKjhrU2XmVA32KEEpz650U kvMG7TYxNvVlFc3HgvD5+cfYGvqP9z1U8AsozbrT0DsgcTF1KFj28hnZUbRj3eWanki3 WmV6wA0veaEf9tSqM9ZOqc965w9sbH1wlYa9uB5QurQEtGU3NDjRAGUfAxeWWmE/gtAm VArg== X-Gm-Message-State: AOAM532dlDxLNejZA8DODeGuZeCeEfgESCLBYnt/e42idQo2xVIiQpg1 IXDzv9FW7JmARfOH2pu8s67Qqc3eVexaAA== X-Google-Smtp-Source: ABdhPJydk4dmT1rgmqhv27i/OOgCQeRia9aelqtH6ortRA1J9gFbRYQa31MxfBXAnndD/upkMoWhIQ== X-Received: by 2002:a17:902:8d8f:b029:12b:a6b4:c91b with SMTP id v15-20020a1709028d8fb029012ba6b4c91bmr1723801plo.28.1626840039631; Tue, 20 Jul 2021 21:00:39 -0700 (PDT) Received: from localhost ([203.206.29.204]) by smtp.gmail.com with ESMTPSA id z6sm4687832pgs.4.2021.07.20.21.00.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Jul 2021 21:00:39 -0700 (PDT) From: Daniel Axtens To: skiboot-stable@lists.ozlabs.org Date: Wed, 21 Jul 2021 14:00:27 +1000 Message-Id: <20210721040030.29050-2-dja@axtens.net> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210721040030.29050-1-dja@axtens.net> References: <20210721040030.29050-1-dja@axtens.net> MIME-Version: 1.0 X-Mailman-Approved-At: Wed, 21 Jul 2021 15:18:32 +1000 Subject: [Skiboot-stable] [PATCH 6.7.x 1/4] secvar/backend: Don't overread data in auth descriptor X-BeenThere: skiboot-stable@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches, review, and discussion for stable releases of skiboot" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nick.child@ibm.com, nayna@linux.ibm.com, Daniel Axtens Errors-To: skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot-stable" commit 15da2fd447c04a9f6ea53b8f8bdfaa7cbc6ea520 upstream Catch another OOB read picked up by the fuzzer. Signed-off-by: Daniel Axtens Reviewed-by: Nayna Jain Tested-by: Nayna Jain Signed-off-by: Vasant Hegde --- libstb/secvar/backend/edk2-compat-process.c | 3 +++ libstb/secvar/test/secvar-test-edk2-compat.c | 19 +++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c index c0006a5e908e..99fe10631139 100644 --- a/libstb/secvar/backend/edk2-compat-process.c +++ b/libstb/secvar/backend/edk2-compat-process.c @@ -192,6 +192,9 @@ int get_auth_descriptor2(const void *buf, const size_t buflen, void **auth_buffe auth_buffer_size = sizeof(auth->timestamp) + sizeof(auth->auth_info.hdr) + sizeof(auth->auth_info.cert_type) + len; + if (auth_buffer_size > buflen) + return OPAL_PARAMETER; + *auth_buffer = zalloc(auth_buffer_size); if (!(*auth_buffer)) return OPAL_NO_MEM; diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c index 100fda7d008d..a3b1613a711a 100644 --- a/libstb/secvar/test/secvar-test-edk2-compat.c +++ b/libstb/secvar/test/secvar-test-edk2-compat.c @@ -91,6 +91,7 @@ int run_test() struct secvar *tmp; size_t tmp_size; char empty[64] = {0}; + void *data; /* The sequence of test cases here is important to ensure that * timestamp checks work as expected. */ @@ -253,6 +254,24 @@ int run_test() ASSERT(NULL != tmp); ASSERT(0 == tmp->data_size); + printf("Try truncated KEK < size of auth structure:\n"); + data = malloc(1467); + memcpy(data, KEK_auth, 1467); + tmp = new_secvar("KEK", 4, data, 1467, 0); + rc = edk2_compat_validate(tmp); + ASSERT(0 == rc); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + ASSERT(0 != rc); + ASSERT(5 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + tmp = find_secvar("KEK", 4, &variable_bank); + ASSERT(NULL != tmp); + ASSERT(0 == tmp->data_size); + free(data); + /* Add valid KEK, .process(), succeeds. */ printf("Add KEK"); tmp = new_secvar("KEK", 4, KEK_auth, KEK_auth_len, 0);