From patchwork Thu Jul 1 12:40:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Axtens X-Patchwork-Id: 1499516 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org; envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=rec3nh65; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GFyWS2J6nz9sWw for ; Thu, 1 Jul 2021 22:41:24 +1000 (AEST) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4GFyWQ6bjFz303y for ; Thu, 1 Jul 2021 22:41:22 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=rec3nh65; dkim-atps=neutral X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::102b; helo=mail-pj1-x102b.google.com; envelope-from=dja@axtens.net; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=rec3nh65; dkim-atps=neutral Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4GFyWK4YdFz2ymN for ; Thu, 1 Jul 2021 22:41:15 +1000 (AEST) Received: by mail-pj1-x102b.google.com with SMTP id mn20-20020a17090b1894b02901707fc074e8so5817285pjb.0 for ; Thu, 01 Jul 2021 05:41:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=fBSXHzxng32/HvIH3fGsAH6EPfu28JHdNr1727AIJ2Y=; b=rec3nh6577v27G8O2N3l2YzYRf34scxXH5GqGQEeeFM6egV0j/L3hn/maa/GdRiJNx 9cl2UZG/1NjYeu+Dw25O9MTOTj1xMxW39806vB4GWFc86eoSA5WDEXSbs+ELo/Kiyx+F P6jgHPyzFtHDfvr8HCZz8B5wSjLxIsdSmJl5w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=fBSXHzxng32/HvIH3fGsAH6EPfu28JHdNr1727AIJ2Y=; b=XzqUTzDyCcq+ygM7ec29sAzvsewqgGFpVHF2UihdYQyd+DF7cxKBtt3Qi4NBUZ7Mph G1Z6YLCnqQ6SEvNqTF8Z4gO6vTd2QhCE3gLM3y+z4zGk1Hh6b5hGwY+rZOvlLcWvh2rg /wdFzUItybG+RS5oZ4JAMKWwbSVJl2lpOJUUmu/bf0tDp/GrROZLUXJQGl+XF/51K1so fz2/6M8nkuHfaFMB52XzFWGJ98US+XeKv95v1PcNVU3Tgdqe6PWzg1Jj2MGafKdnGjjJ +GJXgH59Wa2fkLrlsuX+ZfrDK/uJ6EwcV/iNI8qPk2JJNGttYjfFPt+m7jFx78M0gC80 BR2g== X-Gm-Message-State: AOAM533NS7NPo9jErxiXTkCr23jat5NtfHJDwzE5oK+v2a+9kt9GmfHB yRTK3i1hgNcya23vK69g9Px3rzIJ9DoHzA== X-Google-Smtp-Source: ABdhPJzsaHsXK/3kZQJTh66KxTxnheRcPJ+F594wCfDWMywvlqw54r2rCglQiaOGz8AhsOiOH8820Q== X-Received: by 2002:a17:90a:6602:: with SMTP id l2mr13599524pjj.103.1625143272729; Thu, 01 Jul 2021 05:41:12 -0700 (PDT) Received: from localhost ([203.206.29.204]) by smtp.gmail.com with ESMTPSA id w18sm26984433pjg.50.2021.07.01.05.41.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 Jul 2021 05:41:12 -0700 (PDT) From: Daniel Axtens To: skiboot@lists.ozlabs.org Date: Thu, 1 Jul 2021 22:40:59 +1000 Message-Id: <20210701124106.2784003-1-dja@axtens.net> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Subject: [Skiboot] [PATCH 0/7] Fuzzers and fixes for secure variables X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nick.child@ibm.com, nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" I hooked up LLVM's libfuzzer to libstb/secvar and found some mostly minor bugs. My series applies on top of Nick Child's latest (which fixes some other bugs that could be found by fuzzing). Patch 1-4 are bugs in the secvar code. Nothing too major; I think the worst case would be a DoS. (Although I haven't checked how resilient our zalloc is to very large inputs which can happen without patch 3) Patch 5 fixes a bug in our pkcs7 implementation in mbedtls. I think it's limited to an out-of-bounds read of <8 bytes. Patch 6 cleans up some code and is correspondingly less urgent. Patch 7 is the WIP RFC of how I put the fuzzers together and includes instructions on how to use them yourself. It's not ready to be merged yet. Daniel Axtens (7): secvar/backend: Don't overread short variables in validate secvar/backend: Don't overread data in auth descriptor secvar/backend: fix an integer underflow bug secvar/backend: fix a memory leak in get_pkcs7 pkcs7: pkcs7_get_content_info_type should reset *p on error secvar/backend: get_pkcs7_len should return a signed type [RFC] secvar: add fuzzers core/test/stubs.c | 11 +- libstb/crypto/pkcs7/pkcs7.c | 4 +- libstb/secvar/backend/edk2-compat-process.c | 26 ++- libstb/secvar/backend/edk2-compat.c | 3 + libstb/secvar/test/Makefile.check | 22 ++- libstb/secvar/test/secvar-fuzz-db.c | 5 + libstb/secvar/test/secvar-fuzz-dbx.c | 5 + libstb/secvar/test/secvar-fuzz-pkcs7.c | 23 +++ libstb/secvar/test/secvar-fuzz-setup-mode.c | 4 + libstb/secvar/test/secvar-generic-fuzz-edk2.c | 177 ++++++++++++++++++ 10 files changed, 270 insertions(+), 10 deletions(-) create mode 100644 libstb/secvar/test/secvar-fuzz-db.c create mode 100644 libstb/secvar/test/secvar-fuzz-dbx.c create mode 100644 libstb/secvar/test/secvar-fuzz-pkcs7.c create mode 100644 libstb/secvar/test/secvar-fuzz-setup-mode.c create mode 100644 libstb/secvar/test/secvar-generic-fuzz-edk2.c