From patchwork Thu Jul 8 07:10:33 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Axtens X-Patchwork-Id: 1502122 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org; envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=NshdXgC0; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GL6tW6wj8z9sWc for ; Thu, 8 Jul 2021 17:12:19 +1000 (AEST) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4GL6tW2HTLz3046 for ; Thu, 8 Jul 2021 17:12:19 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=NshdXgC0; dkim-atps=neutral X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::102b; helo=mail-pj1-x102b.google.com; envelope-from=dja@axtens.net; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=NshdXgC0; dkim-atps=neutral Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4GL6tR083sz2yYS for ; Thu, 8 Jul 2021 17:12:12 +1000 (AEST) Received: by mail-pj1-x102b.google.com with SMTP id oj11-20020a17090b4d8bb029017338c124dcso980431pjb.0 for ; Thu, 08 Jul 2021 00:12:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=J7m8NCEwA4T72FGDNULFL1M27nO2HNTEHBCXKiFsFEY=; b=NshdXgC0KXX2YGA49sSsvPv6v81/lzW6pRcTmIr6k5yQrhg/WrRe/zvSQB//vj0Vca mvcAGLHw7hUl5NiGr/PmbdXsnJjhW+56/i33uaIg7PfJyiYKDSsoUT7xZigNUn67asqC d9UArQQVtWUVj5Q9yEJqjIhxo1q+0u+bDgIBA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=J7m8NCEwA4T72FGDNULFL1M27nO2HNTEHBCXKiFsFEY=; b=jvb5EZ5S5se1eeF2Hogwm38ogEi2CUtNaVhl0NiW581VABny+fJIssbr/WopJJZZRb 0Z6qVDECa5ryYgBNXMdhLlQEE6fGx+HTrLutXGUaS0Fh27vQh+i1QwajWWqQRS6hWqPk WU1joAeOIcDT97IKf/pwjhqELLj161mF+QK2uSX5VD27aainmNARGjDmCGskomlcuSpt revjkv+MLKIP6Ah5QYeYv2lZOw9RjhTlK6xf6kotJobfg5Q6166gauy1AVC0Az/9JCJT h8HvTZx4FdgIvG3GPrVQx4/qjBNTVgg2S2Rne4+FM6NMRTNcTS+6umIscRbQyEun8/kJ Aupw== X-Gm-Message-State: AOAM532ToNgHOmLDEctC5qLIkkmuV/g4/ufMZK1w79v9KzffGNpJk8om nr02T1eQKznHWYrXl4+VcEViRbUVbCXAtA== X-Google-Smtp-Source: ABdhPJy2oj4NCuq97JGJHSimRr8LKQReGL8wLr/r2pk9jrH/V+BgCH2aGVfT/7C5SMhqmafWBI7zgg== X-Received: by 2002:a17:90a:c003:: with SMTP id p3mr30041316pjt.14.1625728327908; Thu, 08 Jul 2021 00:12:07 -0700 (PDT) Received: from localhost ([203.206.29.204]) by smtp.gmail.com with ESMTPSA id q64sm1507641pfc.118.2021.07.08.00.12.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Jul 2021 00:12:07 -0700 (PDT) From: Daniel Axtens To: skiboot@lists.ozlabs.org Date: Thu, 8 Jul 2021 17:10:33 +1000 Message-Id: <20210708071040.3684854-1-dja@axtens.net> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Subject: [Skiboot] [PATCH v2 0/7] Fuzzers and fixes for secure variables X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nick.child@ibm.com, nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" v2: Add tests, thanks Nayna Jain. I hooked up LLVM's libfuzzer to libstb/secvar and found some mostly minor bugs. My series applies on top of Nick Child's fixes (which fix some other bugs that could be found by fuzzing). Patch 1-4 are bugs in the secvar code. Nothing too major; I think the worst case would be a DoS. (Although I haven't checked how resilient our zalloc is to very large inputs which can happen without patch 3.) Patch 5 fixes a bug in our pkcs7 implementation in mbedtls. I think it's limited to an out-of-bounds read of <8 bytes. Patch 6 cleans up some code and is correspondingly less urgent. Patch 7 is the WIP RFC of how I put the fuzzers together and includes instructions on how to use them yourself. It's not ready to be merged yet. Daniel Axtens (7): secvar/backend: Don't overread short variables in validate secvar/backend: Don't overread data in auth descriptor secvar/backend: fix an integer underflow bug secvar/backend: fix a memory leak in get_pkcs7 pkcs7: pkcs7_get_content_info_type should reset *p on error secvar/backend: get_pkcs7_len should return a signed type [RFC] secvar: add fuzzers core/test/stubs.c | 11 +- libstb/crypto/pkcs7/pkcs7.c | 4 +- libstb/secvar/backend/edk2-compat-process.c | 26 ++- libstb/secvar/backend/edk2-compat.c | 3 + libstb/secvar/test/Makefile.check | 27 ++- libstb/secvar/test/data/KEKeslcorrupt.h | 161 ++++++++++++++++ libstb/secvar/test/data/KEKpkcs7corrupt.h | 161 ++++++++++++++++ libstb/secvar/test/secvar-fuzz-db.c | 5 + libstb/secvar/test/secvar-fuzz-dbx.c | 5 + libstb/secvar/test/secvar-fuzz-pkcs7.c | 23 +++ libstb/secvar/test/secvar-fuzz-setup-mode.c | 4 + libstb/secvar/test/secvar-generic-fuzz-edk2.c | 177 ++++++++++++++++++ libstb/secvar/test/secvar-test-edk2-compat.c | 61 ++++++ libstb/secvar/test/secvar-test-pkcs7.c | 32 ++++ 14 files changed, 689 insertions(+), 11 deletions(-) create mode 100644 libstb/secvar/test/data/KEKeslcorrupt.h create mode 100644 libstb/secvar/test/data/KEKpkcs7corrupt.h create mode 100644 libstb/secvar/test/secvar-fuzz-db.c create mode 100644 libstb/secvar/test/secvar-fuzz-dbx.c create mode 100644 libstb/secvar/test/secvar-fuzz-pkcs7.c create mode 100644 libstb/secvar/test/secvar-fuzz-setup-mode.c create mode 100644 libstb/secvar/test/secvar-generic-fuzz-edk2.c create mode 100644 libstb/secvar/test/secvar-test-pkcs7.c