From patchwork Thu Jul  1 12:41:00 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Axtens <dja@axtens.net>
X-Patchwork-Id: 1499517
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org;
 envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=ii1Szz8n;
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org
 [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GFyWW2kS5z9sj1
	for <incoming@patchwork.ozlabs.org>; Thu,  1 Jul 2021 22:41:27 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GFyWW0N3Yz3bT7
	for <incoming@patchwork.ozlabs.org>; Thu,  1 Jul 2021 22:41:27 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=ii1Szz8n;
	dkim-atps=neutral
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::62d;
 helo=mail-pl1-x62d.google.com; envelope-from=dja@axtens.net;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=ii1Szz8n; dkim-atps=neutral
Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com
 [IPv6:2607:f8b0:4864:20::62d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GFyWN4RpSz2ymN
 for <skiboot@lists.ozlabs.org>; Thu,  1 Jul 2021 22:41:20 +1000 (AEST)
Received: by mail-pl1-x62d.google.com with SMTP id h6so2442776plf.11
 for <skiboot@lists.ozlabs.org>; Thu, 01 Jul 2021 05:41:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=zbhweWzSFqoXTcf5H78REVA/rqlVUy6aRibnWT2uUQU=;
 b=ii1Szz8nF27S24UM0FTKtq6J7DQ05nKZCqCKBYGbEUhiI3eBn6yrkcbtAP4LOwou5Y
 9+4xamhdlNG6ZNbgEWn3oZ9rWMn2eOMiU3DbhMUA1KujEK8KEP61hA5rVNlXOW7y5CIq
 nMgeAksY2cVyykyK2XRY11CZwj8//BDrxdWiI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=zbhweWzSFqoXTcf5H78REVA/rqlVUy6aRibnWT2uUQU=;
 b=gyw2ovfI6vPrH2oOb87dV8xcyQiaDgD/pS6kpUIjexMoeZ+QKMdKPCHYLm/FnN5fzI
 IEzHMfMrKuVkPOpiyzsBx2aH8z0oXaRaYciMqFPso2MVMpJeE6cN3n25DLGsC/SdO8wv
 M9AHyg8YItrrP/R+KdXA8xCel+A+9A88Del2cyWUR+jbKRilO/Lpj213hBDtE6C36MH1
 DX7zlvmF+L0hueuXj55QrdsnhrBQPVxd1IWm4Cu0QuI3ZGW5hN/mg/WcWbXpZKfv6f4x
 9p3ZcYnxY/q5frkFxhag0yYU/ztI163fTezi2+/yxgxZV4q4Zte7HpbvILM13twGXrY3
 PIoA==
X-Gm-Message-State: AOAM531tQ+Th0cTxtVpNsBNFN7d5yj3ftA7+Dm2jm2OP3veyYQThOteH
 Oh9EcZpqxvJsD15JpZja47NWaVzcG21fmw==
X-Google-Smtp-Source: 
 ABdhPJzf9PyizwYlJOJWW1SoZIHt7Aev5hPf6GqRkfjxyy/9RDUbLL8cjCV7jKpe9pmSi6MNa52R2Q==
X-Received: by 2002:a17:90a:cc0c:: with SMTP id
 b12mr9726244pju.152.1625143277298;
 Thu, 01 Jul 2021 05:41:17 -0700 (PDT)
Received: from localhost ([203.206.29.204])
 by smtp.gmail.com with ESMTPSA id n26sm513018pgd.15.2021.07.01.05.41.16
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 01 Jul 2021 05:41:16 -0700 (PDT)
From: Daniel Axtens <dja@axtens.net>
To: skiboot@lists.ozlabs.org
Date: Thu,  1 Jul 2021 22:41:00 +1000
Message-Id: <20210701124106.2784003-2-dja@axtens.net>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210701124106.2784003-1-dja@axtens.net>
References: <20210701124106.2784003-1-dja@axtens.net>
MIME-Version: 1.0
Subject: [Skiboot] [PATCH 1/7] secvar/backend: Don't overread short
 variables in validate
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
Cc: nick.child@ibm.com, nayna@linux.ibm.com
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
 <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Fix an OOB read caught by our fuzzer.

It might be good future work to change function signatures to pass
some size data around explictly?

Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 libstb/secvar/backend/edk2-compat.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libstb/secvar/backend/edk2-compat.c b/libstb/secvar/backend/edk2-compat.c
index 9e61fbc60ff9..bfa2659e526b 100644
--- a/libstb/secvar/backend/edk2-compat.c
+++ b/libstb/secvar/backend/edk2-compat.c
@@ -280,6 +280,9 @@ static int edk2_compat_validate(struct secvar *var)
 			&& !key_equals(var->key, "dbx"))
 		return OPAL_PARAMETER;
 
+	if (var->data_size < sizeof(struct efi_variable_authentication_2))
+		return OPAL_PARAMETER;
+
 	/* Check that signature type is PKCS7 */
 	if (!is_pkcs7_sig_format(var->data))
 		return OPAL_PARAMETER;

From patchwork Thu Jul  1 12:41:01 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Axtens <dja@axtens.net>
X-Patchwork-Id: 1499518
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=112.213.38.117; helo=lists.ozlabs.org;
 envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=jlXzSNNs;
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GFyWb4sWsz9t10
	for <incoming@patchwork.ozlabs.org>; Thu,  1 Jul 2021 22:41:31 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GFyWb1rsBz305y
	for <incoming@patchwork.ozlabs.org>; Thu,  1 Jul 2021 22:41:31 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=jlXzSNNs;
	dkim-atps=neutral
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::52b;
 helo=mail-pg1-x52b.google.com; envelope-from=dja@axtens.net;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=jlXzSNNs; dkim-atps=neutral
Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com
 [IPv6:2607:f8b0:4864:20::52b])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GFyWR6x7xz307c
 for <skiboot@lists.ozlabs.org>; Thu,  1 Jul 2021 22:41:23 +1000 (AEST)
Received: by mail-pg1-x52b.google.com with SMTP id t9so5970409pgn.4
 for <skiboot@lists.ozlabs.org>; Thu, 01 Jul 2021 05:41:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=m6iXSJ15nhN9zCrj1wNVsGbcJbzWkimCItJF98OZ/IQ=;
 b=jlXzSNNsgrGa6fAkl+3EmnLVVEIcDC5SaXMBldUfGKrqDCYPkwT5Hh3OYoUY36Wt34
 plnH9vWfcoIK4AeQxBmPH/v/9FA3ka32z/VidTkPCdBMNpxqKY8v3FZ5ZauQ1Kf8AHsu
 WvS4FGK5ZNdnNFo7hH6ZFbQX53w91cj2KTRao=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=m6iXSJ15nhN9zCrj1wNVsGbcJbzWkimCItJF98OZ/IQ=;
 b=OePdayoDV86LJYHKXJrLGQqC7eJETox9ZFHxKJYHIhaqJXIf8dgMSfp7wxyMswZuao
 DZzkqfdQ0rOpU0RYT7wZMVPXww9BlMH5uPDeiO5MbufZk8/dicXDMl0G3WzQCsfo29OH
 GXy11a67ffVJ6/H6zZBqtlCZDGhPFmyngQzXU9kTrOXik7x8z7vLUfHtPjVQKY83MUSF
 +xOkox0RTWpeO8wD9+jwdNGa1xSv45ciuvm1osyQIXeUq3j2KSLNh8QSZwZgLT9ChKIK
 7Y/gt2YskKVmfzG/Z5I5szhVXTifsMrBhTShvhFietn8J0IEsMPM6t+0vnsTgt+P3nGJ
 rx4A==
X-Gm-Message-State: AOAM533OqOAlVQoM3XcIMsCXFY0hYi+dskLuZSmIyFvz94uCwE0h6JVD
 lMWiR0MgXbclo6Z6nT7dyyCnlkoo8+8RHQ==
X-Google-Smtp-Source: 
 ABdhPJx9GakotNVupjZV0lOUP05h7jMrk6BMqVtQEwazV+vLAzs5ZclCTKAmT09T3qWcJww0DA7IIw==
X-Received: by 2002:a05:6a00:139b:b029:310:23d:f2ab with SMTP id
 t27-20020a056a00139bb0290310023df2abmr8703869pfg.54.1625143281408;
 Thu, 01 Jul 2021 05:41:21 -0700 (PDT)
Received: from localhost ([203.206.29.204])
 by smtp.gmail.com with ESMTPSA id g16sm27229336pgl.22.2021.07.01.05.41.20
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 01 Jul 2021 05:41:21 -0700 (PDT)
From: Daniel Axtens <dja@axtens.net>
To: skiboot@lists.ozlabs.org
Date: Thu,  1 Jul 2021 22:41:01 +1000
Message-Id: <20210701124106.2784003-3-dja@axtens.net>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210701124106.2784003-1-dja@axtens.net>
References: <20210701124106.2784003-1-dja@axtens.net>
MIME-Version: 1.0
Subject: [Skiboot] [PATCH 2/7] secvar/backend: Don't overread data in auth
 descriptor
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
Cc: nick.child@ibm.com, nayna@linux.ibm.com
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
 <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Catch another OOB read picked up by the fuzzer.

Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 libstb/secvar/backend/edk2-compat-process.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index dff96446dc48..ab8efd9b2573 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -195,6 +195,9 @@ int get_auth_descriptor2(const void *buf, const size_t buflen, void **auth_buffe
 	auth_buffer_size = sizeof(auth->timestamp) + sizeof(auth->auth_info.hdr)
 			   + sizeof(auth->auth_info.cert_type) + len;
 
+	if (auth_buffer_size > buflen)
+		return OPAL_PARAMETER;
+
 	*auth_buffer = zalloc(auth_buffer_size);
 	if (!(*auth_buffer))
 		return OPAL_NO_MEM;

From patchwork Thu Jul  1 12:41:02 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Axtens <dja@axtens.net>
X-Patchwork-Id: 1499519
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org;
 envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=DsVVxEO1;
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org
 [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GFyWg57HNz9sWw
	for <incoming@patchwork.ozlabs.org>; Thu,  1 Jul 2021 22:41:35 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GFyWg3rggz306v
	for <incoming@patchwork.ozlabs.org>; Thu,  1 Jul 2021 22:41:35 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=DsVVxEO1;
	dkim-atps=neutral
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::52f;
 helo=mail-pg1-x52f.google.com; envelope-from=dja@axtens.net;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=DsVVxEO1; dkim-atps=neutral
Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com
 [IPv6:2607:f8b0:4864:20::52f])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GFyWX5f6Gz306k
 for <skiboot@lists.ozlabs.org>; Thu,  1 Jul 2021 22:41:28 +1000 (AEST)
Received: by mail-pg1-x52f.google.com with SMTP id u14so5924591pga.11
 for <skiboot@lists.ozlabs.org>; Thu, 01 Jul 2021 05:41:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=w9aF7tWjjq3JUoF/KfCo6herWpobSlnrX4OySZoZ5so=;
 b=DsVVxEO1TtQDWiKHnHWf0DdZFGSbZiWcLm87uCV071atNoEnxIHsGjkvFRwnVNiLFe
 auy+uB/vOBwgh8m3Rpq1Q4970rcVFdcQO7xJV25CEhSMPx5T6pG8ivqEKMIp6w7k1DfI
 CnJzKDTe9zLjMJz+f4kggDy0j/IiJBRdBNeBc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=w9aF7tWjjq3JUoF/KfCo6herWpobSlnrX4OySZoZ5so=;
 b=KoDLyX8ZPmjyffVlJZIRdNg7W2EWW2OqQMYzjIkUNbS722pvJZJYlVAFXiSJ3LZUrQ
 a61qPcWRDdqzLZBecY9d9g1r6IqtuJewSAgCJi3ynIassGWEP+fUFpHOG5/DVRCppK4g
 sdHayjmFlBTAbC4yU49cTCkG/fqjExGFbDq4DoWyunFMqDpAENGOeaImYYmjoGMPhBap
 Sp05WEx0E7zgptxsWyqNMDMmUARt3CNfDCDV6VJjeCwRcjK6FvCaLLSpLIl1LKTg91hH
 AsJqvRBziuFbG952hl/1kpN46Y/xpM4egMv3g6NO8WhArKp/D3vTF6Zt/hpUs45710jk
 DYig==
X-Gm-Message-State: AOAM5307Mj0Bye624idgF68wa7N0PaHbCSJHl4P6p+5yz+7jv9ME/mNp
 jTnS4gdCm7amX4cGYXAOZJIHWD+qvT1LWw==
X-Google-Smtp-Source: 
 ABdhPJwiBpQNPUC22VrHYfFWedrcIkk68qkIJEm8xRljWiC0qYlj0mRamsPDuWygYG1xLeB5Sxf/iQ==
X-Received: by 2002:a63:ce14:: with SMTP id
 y20mr38282731pgf.432.1625143286131;
 Thu, 01 Jul 2021 05:41:26 -0700 (PDT)
Received: from localhost ([203.206.29.204])
 by smtp.gmail.com with ESMTPSA id o1sm24667780pjf.56.2021.07.01.05.41.24
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 01 Jul 2021 05:41:25 -0700 (PDT)
From: Daniel Axtens <dja@axtens.net>
To: skiboot@lists.ozlabs.org
Date: Thu,  1 Jul 2021 22:41:02 +1000
Message-Id: <20210701124106.2784003-4-dja@axtens.net>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210701124106.2784003-1-dja@axtens.net>
References: <20210701124106.2784003-1-dja@axtens.net>
MIME-Version: 1.0
Subject: [Skiboot] [PATCH 3/7] secvar/backend: fix an integer underflow bug
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
Cc: nick.child@ibm.com, nayna@linux.ibm.com
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
 <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

If a declared size is smaller than uuid size, we end up allocating
with an allocation of a 'negative' number, which is a huge 64 bit
number.

Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 libstb/secvar/backend/edk2-compat-process.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index ab8efd9b2573..edbb588899c8 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -128,6 +128,9 @@ static int get_esl_cert(const char *buf, const size_t buflen, char **cert)
 
 	assert(cert != NULL);
 
+	if (le32_to_cpu(list->SignatureSize) <= sizeof(uuid_t))
+		return OPAL_PARAMETER;
+
 	size = le32_to_cpu(list->SignatureSize) - sizeof(uuid_t);
 
 	prlog(PR_DEBUG,"size of signature list size is %u\n",

From patchwork Thu Jul  1 12:41:03 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Axtens <dja@axtens.net>
X-Patchwork-Id: 1499520
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=112.213.38.117; helo=lists.ozlabs.org;
 envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=FtqWsxF2;
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GFyWm37j5z9sXS
	for <incoming@patchwork.ozlabs.org>; Thu,  1 Jul 2021 22:41:40 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GFyWm20TSz3bVq
	for <incoming@patchwork.ozlabs.org>; Thu,  1 Jul 2021 22:41:40 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=FtqWsxF2;
	dkim-atps=neutral
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::635;
 helo=mail-pl1-x635.google.com; envelope-from=dja@axtens.net;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=FtqWsxF2; dkim-atps=neutral
Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com
 [IPv6:2607:f8b0:4864:20::635])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GFyWd3KY1z3bWf
 for <skiboot@lists.ozlabs.org>; Thu,  1 Jul 2021 22:41:33 +1000 (AEST)
Received: by mail-pl1-x635.google.com with SMTP id n9so1143134plf.7
 for <skiboot@lists.ozlabs.org>; Thu, 01 Jul 2021 05:41:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=7RIRfvdfh7uiUALQlmkSEi/LiuxKOfBRb0yylMqCJjE=;
 b=FtqWsxF2bGIVuT4HbFC0UyDyAlNpkqBkyMOVLEwDRRU/GJZcSxb2nPNKAcWecpp10p
 TzBhJRMihDwQiGC0hokSJV19LcpwbB3bvTdYtKwWtE1W4vf1M1VSFiyFqNaidPacoBwu
 0LQuyxNgUYmsh4UTTxv2l2r5Q/W3Teblzp7xc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=7RIRfvdfh7uiUALQlmkSEi/LiuxKOfBRb0yylMqCJjE=;
 b=eOv+CYWNo7VeLDapJb6gjbcOrNzNqU4RWILBCRpXm6Ky5bLMzAr2bqC2DR4fy8ZcAp
 8q89fhth89w+l/dCt6bFBxF2uiJH59WNp+B+BYIYIwwaU/CSBcsBgmhy8CpG+Cpg3NUd
 an/Mw1eJSjN5K2U1sfPoxVwM89UN/yRGbga3/Hh3coUKcwaihpkoiJKPSFa2Jlk+V2NR
 MXzDiHtiwqzY75Yt0xYMp4yyOFc8u5OXgtMQ6OPxalo7pPSY/hSI6DhOWfAyHgXZy7xa
 SR2xgz63n+k800LlM2ZpBfIWONCOzoAtKbHFWAgpzdaHKdcJ7ZHUC6yuCOL5sRDBmV8k
 j4gQ==
X-Gm-Message-State: AOAM530eqq6egzMToias9BbRMwAzeRkXyhXnn6MO2qo8+ZkHKDEzfn71
 cPzEOO6KsSAcG4WkhRxDNCGz9b6q8kEe3Q==
X-Google-Smtp-Source: 
 ABdhPJz1nXzOPajzcYxIfCnEInoACgAsghNM815GAY4wtKKbYySqrG1tkWV/wP7cgwBipowScdiZGg==
X-Received: by 2002:a17:90a:73ca:: with SMTP id
 n10mr9763675pjk.16.1625143290817;
 Thu, 01 Jul 2021 05:41:30 -0700 (PDT)
Received: from localhost ([203.206.29.204])
 by smtp.gmail.com with ESMTPSA id a23sm24300088pff.43.2021.07.01.05.41.29
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 01 Jul 2021 05:41:30 -0700 (PDT)
From: Daniel Axtens <dja@axtens.net>
To: skiboot@lists.ozlabs.org
Date: Thu,  1 Jul 2021 22:41:03 +1000
Message-Id: <20210701124106.2784003-5-dja@axtens.net>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210701124106.2784003-1-dja@axtens.net>
References: <20210701124106.2784003-1-dja@axtens.net>
MIME-Version: 1.0
Subject: [Skiboot] [PATCH 4/7] secvar/backend: fix a memory leak in get_pkcs7
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
Cc: nick.child@ibm.com, nayna@linux.ibm.com
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
 <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

We need to actually free the pkcs7 structure, not just pass it to
mbedtls_pkcs7_free().

Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 libstb/secvar/backend/edk2-compat-process.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index edbb588899c8..f6831f1f7ccf 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -452,6 +452,7 @@ static mbedtls_pkcs7* get_pkcs7(const struct efi_variable_authentication_2 *auth
 
 out:
 	mbedtls_pkcs7_free(pkcs7);
+	free(pkcs7);
 	pkcs7 = NULL;
 	return pkcs7;
 }

From patchwork Thu Jul  1 12:41:04 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Axtens <dja@axtens.net>
X-Patchwork-Id: 1499521
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=112.213.38.117; helo=lists.ozlabs.org;
 envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=k1ycGyO6;
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GFyWr3JFCz9sXL
	for <incoming@patchwork.ozlabs.org>; Thu,  1 Jul 2021 22:41:44 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GFyWr2DXDz3bY5
	for <incoming@patchwork.ozlabs.org>; Thu,  1 Jul 2021 22:41:44 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=k1ycGyO6;
	dkim-atps=neutral
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::42b;
 helo=mail-pf1-x42b.google.com; envelope-from=dja@axtens.net;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=k1ycGyO6; dkim-atps=neutral
Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com
 [IPv6:2607:f8b0:4864:20::42b])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GFyWj6n2Sz308M
 for <skiboot@lists.ozlabs.org>; Thu,  1 Jul 2021 22:41:37 +1000 (AEST)
Received: by mail-pf1-x42b.google.com with SMTP id d12so5813181pfj.2
 for <skiboot@lists.ozlabs.org>; Thu, 01 Jul 2021 05:41:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=5KnDm+49mNWlUuomSw4KRhY6qD/cdljc84rCrj8RfQM=;
 b=k1ycGyO6W2N0daX3I7EaD+LMn5M3q4/CPmSsdl4pIJRg9lx07EhF62JYTABD2GMuOx
 HvegHolMafUoZ/mb89BEOXKWH3b3bCJiTbJ6E0e041oQzKCvK0+giKnKZZ5m9UWE9EBV
 R89NIMsMJYyrd6bzM1P3g+t9l9z3DsrIUpP4Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=5KnDm+49mNWlUuomSw4KRhY6qD/cdljc84rCrj8RfQM=;
 b=prOrQ9zrn4WWwIu6KQq4WN/aSJ6pTafmbkbL4ls2QLETtDI2tslbjpLgLMxhpUC+7q
 YJ0iHGUZoQkW3cmfGG+vJEI5fcYcuyyLQB1ywdJm/98dYK7x6Re4WRtT9e3iMfOseike
 y3VtwLCPrrRjkRYRzA0mEa5N0L9i+w1a7scbs54IziDEHQJYJJghmBl1qYxKbalay1yE
 A02S3OZs3knWuGenW1j/N+r8H7cZ8ONYi/TeIxf3pWOLA3ZI/5nM8R42wQMeSbYF4KLR
 WRk7DnMsuAPnTcGE9mfD4WzeW7+IjdNSAki303ImdJmFLfAyHdxE8fPbe0dLrGlarjDI
 PxzA==
X-Gm-Message-State: AOAM530IHkZ4uGRY1O1BoDAAdj8fjlwRHXBoMzxE/1BZ0u666Mv9iD5W
 TC5545uTNRXx3bLt5WtPvhfNIVgqCnmZaA==
X-Google-Smtp-Source: 
 ABdhPJyCqZuu4LEZJ913rfjt9JjS/pRvtmfaa/kFeQ+2MT61QAFCccA2oiqsKu4mzSozekF47lQZvA==
X-Received: by 2002:a62:c545:0:b029:308:bf27:2bc2 with SMTP id
 j66-20020a62c5450000b0290308bf272bc2mr37599279pfg.15.1625143295294;
 Thu, 01 Jul 2021 05:41:35 -0700 (PDT)
Received: from localhost ([203.206.29.204])
 by smtp.gmail.com with ESMTPSA id 92sm10300705pjv.29.2021.07.01.05.41.34
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 01 Jul 2021 05:41:34 -0700 (PDT)
From: Daniel Axtens <dja@axtens.net>
To: skiboot@lists.ozlabs.org
Date: Thu,  1 Jul 2021 22:41:04 +1000
Message-Id: <20210701124106.2784003-6-dja@axtens.net>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210701124106.2784003-1-dja@axtens.net>
References: <20210701124106.2784003-1-dja@axtens.net>
MIME-Version: 1.0
Subject: [Skiboot] [PATCH 5/7] pkcs7: pkcs7_get_content_info_type should
 reset *p on error
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
Cc: nick.child@ibm.com, nayna@linux.ibm.com
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
 <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Fuzzing revealed a crash where pkcs7_get_signed_data was accessing beyond
the bounds of the object, despite valid data being passed in to
mbedtls_pkcs7_parse_der.

Further investigation revealed that pkcs7_get_content_info_type will
reset *p to start if the second call to mbedtls_asn1_get_tag fails,
but not if the first call fails.

mbedtls_asn1_get_tag does indeed advance *p even in some failure
cases, so a reset is required.

Reset *p to start if the first call to mbedtls_asn1_get_tag fails.

Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 libstb/crypto/pkcs7/pkcs7.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libstb/crypto/pkcs7/pkcs7.c b/libstb/crypto/pkcs7/pkcs7.c
index 4407e201a4cc..a523a9d42a16 100644
--- a/libstb/crypto/pkcs7/pkcs7.c
+++ b/libstb/crypto/pkcs7/pkcs7.c
@@ -151,8 +151,10 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end,
 
     ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
                                             | MBEDTLS_ASN1_SEQUENCE );
-    if( ret != 0 )
+    if( ret != 0 ) {
+	*p = start;
         return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret );
+    }
 
     ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OID );
     if( ret != 0 ) {

From patchwork Thu Jul  1 12:41:05 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Axtens <dja@axtens.net>
X-Patchwork-Id: 1499522
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=112.213.38.117; helo=lists.ozlabs.org;
 envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=LeI1ik/s;
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GFyWw6VMcz9t2g
	for <incoming@patchwork.ozlabs.org>; Thu,  1 Jul 2021 22:41:48 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GFyWw4q2lz3065
	for <incoming@patchwork.ozlabs.org>; Thu,  1 Jul 2021 22:41:48 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=LeI1ik/s;
	dkim-atps=neutral
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::102e;
 helo=mail-pj1-x102e.google.com; envelope-from=dja@axtens.net;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=LeI1ik/s; dkim-atps=neutral
Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com
 [IPv6:2607:f8b0:4864:20::102e])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GFyWp4Hqkz3bXK
 for <skiboot@lists.ozlabs.org>; Thu,  1 Jul 2021 22:41:42 +1000 (AEST)
Received: by mail-pj1-x102e.google.com with SMTP id
 mn20-20020a17090b1894b02901707fc074e8so5817954pjb.0
 for <skiboot@lists.ozlabs.org>; Thu, 01 Jul 2021 05:41:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=k6YtTVBl3bvB6OoC64HRqCmY8sNCcMRRo478dFu3sEE=;
 b=LeI1ik/s12kqHSSMZFWY3W9Ol66fAfaET+uJFGkyQ40L+e09BkAI0v1fFXKcEBPo/J
 JrPeMWNAsEkgodd3OwSP79RMG3XxPYldSxBLmLBlrDWTIaKke1wA1H9QDNrELhgK9L8m
 h+u0VZP1dhU82wbbY8NpIO3Zyx0+2EmrPPol4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=k6YtTVBl3bvB6OoC64HRqCmY8sNCcMRRo478dFu3sEE=;
 b=ZelJXptPtuEFiS9oZdiXPCTfn08SGLQONhgAdpyG58OcGTjZ9HqFHGHnfSN564//Sg
 ph6nEgaAAcGEe20M44b4dMcI/0ueQ532ZPM28FF+VFuMVj0VB/Jp/QQT1nNWZUu2rP1f
 QSoz5+VJwuVMGy22Wx8iB2gHuzuwj8iKvE28N1BcBkLt5P0EupPA2avB0JssC5Sr5Qla
 lQdOGHdriL980OANqV+ZvvwkHKD0mdKdLPoB0VmK/0QKG/PLSeI73xT8Sp9tXFABdCiK
 ruxIou1+vCOv3006sHNdhs7cZuc43xXBJ3u9LnpuXcLFuGDoh7pZWvisrlaSQbqhCjUf
 za5A==
X-Gm-Message-State: AOAM531L3UCuab3Fskt/Vlb6cwRlxyqY/5sD2aIlAfhDGc4M43pf0jvF
 q/W3mS/0C0guW5Z1cCAyWAtN368eyeGwkg==
X-Google-Smtp-Source: 
 ABdhPJxi+aCLnce9JD3ydNJt09NEuNA/hGt3h5XfLlPuRxE/vBsf6XoihbFslmaI5S+OD1yF9YQw9A==
X-Received: by 2002:a17:90a:e09:: with SMTP id
 v9mr8435302pje.41.1625143299840;
 Thu, 01 Jul 2021 05:41:39 -0700 (PDT)
Received: from localhost ([203.206.29.204])
 by smtp.gmail.com with ESMTPSA id la17sm14908887pjb.34.2021.07.01.05.41.38
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 01 Jul 2021 05:41:39 -0700 (PDT)
From: Daniel Axtens <dja@axtens.net>
To: skiboot@lists.ozlabs.org
Date: Thu,  1 Jul 2021 22:41:05 +1000
Message-Id: <20210701124106.2784003-7-dja@axtens.net>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210701124106.2784003-1-dja@axtens.net>
References: <20210701124106.2784003-1-dja@axtens.net>
MIME-Version: 1.0
Subject: [Skiboot] [PATCH 6/7] secvar/backend: get_pkcs7_len should return a
 signed type
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
Cc: nick.child@ibm.com, nayna@linux.ibm.com
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
 <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

get_pkcs7_len parses a efi_variable_authentication2 and tells us how
long the embedded PKCS#7 message is.

This process involves reading a number out of the auth header and
subtracting a number of constants. As such, this process can fail: if the
resultant value is less than 0, this is an error: a pkcs7 message cannot
have negative size!

Currently, we don't catch this: we calculate with an unsigned type, so it
experiences integer overflow and becomes enormous.

The field we're reading from the header is 32 bit, so we don't need all
our 64 bits as data bits. Instead, change the type to be ssize_t, and if
the result of the subtraction is less than 0, return OPAL_PARAMETER.

Adjust call-sites to use the different return type and specifically catch
return values that are errors.

Signed-off-by: Daniel Axtens <dja@axtens.net>
---

I am fairly sure this cannot cause a bug. If you could get to get_pkcs7
then you'd get to mbedtls_pkcs7_parse_der with a huge len, but the only
caller is verify_signature(), which is only called by process_update().
However process_update() first calls get_auth_descriptor2(), which will
helpfully call get_pkcs7_len() and compare the result with buf_len. The
underflowed negative number will be bigger than buf_len - so the caller
(get_auth_descriptor2()) will fail, and process_update() will then bail
before calling into verify_signature().

So this patch isn't as urgent as the others.
---
 libstb/secvar/backend/edk2-compat-process.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c
index f6831f1f7ccf..580bd4ebdcc8 100644
--- a/libstb/secvar/backend/edk2-compat-process.c
+++ b/libstb/secvar/backend/edk2-compat-process.c
@@ -162,11 +162,13 @@ static int get_esl_cert(const char *buf, const size_t buflen, char **cert)
 /* 
  * Extracts size of the PKCS7 signed data embedded in the
  * struct Authentication 2 Descriptor Header.
+ *
+ * Returns a ssize_t: positive values are OK, negative values are error.
  */
-static size_t get_pkcs7_len(const struct efi_variable_authentication_2 *auth)
+static ssize_t get_pkcs7_len(const struct efi_variable_authentication_2 *auth)
 {
 	uint32_t dw_length;
-	size_t size;
+	ssize_t size;
 
 	assert(auth != NULL);
 
@@ -176,14 +178,17 @@ static size_t get_pkcs7_len(const struct efi_variable_authentication_2 *auth)
 			+ sizeof(auth->auth_info.hdr.w_certificate_type)
 			+ sizeof(auth->auth_info.cert_type));
 
+	if (size < 0)
+		return OPAL_PARAMETER;
+
 	return size;
 }
 
 int get_auth_descriptor2(const void *buf, const size_t buflen, void **auth_buffer)
 {
 	const struct efi_variable_authentication_2 *auth = buf;
-	int auth_buffer_size;
-	size_t len;
+	ssize_t auth_buffer_size;
+	ssize_t len;
 
 	assert(auth_buffer != NULL);
 	if (buflen < sizeof(struct efi_variable_authentication_2)
@@ -192,7 +197,7 @@ int get_auth_descriptor2(const void *buf, const size_t buflen, void **auth_buffe
 
 	len = get_pkcs7_len(auth);
 	/* pkcs7 content length cannot be greater than buflen */ 
-	if (len > buflen)
+	if (len < 0 || len > buflen)
 		return OPAL_PARAMETER;
 
 	auth_buffer_size = sizeof(auth->timestamp) + sizeof(auth->auth_info.hdr)
@@ -417,11 +422,13 @@ int check_timestamp(const char *key, const struct efi_time *timestamp,
 static mbedtls_pkcs7* get_pkcs7(const struct efi_variable_authentication_2 *auth)
 {
 	char *checkpkcs7cert = NULL;
-	size_t len;
+	ssize_t len;
 	mbedtls_pkcs7 *pkcs7 = NULL;
 	int rc;
 
 	len = get_pkcs7_len(auth);
+	if (len < 0)
+		return NULL;
 
 	pkcs7 = malloc(sizeof(struct mbedtls_pkcs7));
 	if (!pkcs7)

From patchwork Thu Jul  1 12:41:06 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Axtens <dja@axtens.net>
X-Patchwork-Id: 1499523
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=112.213.38.117; helo=lists.ozlabs.org;
 envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=pILQid1g;
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GFyX10dWSz9t5m
	for <incoming@patchwork.ozlabs.org>; Thu,  1 Jul 2021 22:41:53 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GFyX06GWZz3bhd
	for <incoming@patchwork.ozlabs.org>; Thu,  1 Jul 2021 22:41:52 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=pILQid1g;
	dkim-atps=neutral
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::531;
 helo=mail-pg1-x531.google.com; envelope-from=dja@axtens.net;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key;
 unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256
 header.s=google header.b=pILQid1g; dkim-atps=neutral
Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com
 [IPv6:2607:f8b0:4864:20::531])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GFyWt74lvz3bW7
 for <skiboot@lists.ozlabs.org>; Thu,  1 Jul 2021 22:41:46 +1000 (AEST)
Received: by mail-pg1-x531.google.com with SMTP id v7so5975905pgl.2
 for <skiboot@lists.ozlabs.org>; Thu, 01 Jul 2021 05:41:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=7P2JxXRhgtPEPIzA9oxQGE94u6o8oMc/0VSNTPA1XB0=;
 b=pILQid1gvYDsoQlBaW0V1HJn4aa9EP8RSl5XrIabrpiFFemGXlYFGWIS1K3v+utsja
 rVd9PcnZNAn2gEd52kbQ4RzeYRyfDAZe4mqIUsZuqaIGTUQhPqqHRqCLh+EiXpXT5ujW
 r7dW9OrLm56MHIRXFmfO6B6U/PoCVpE3MRxL0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=7P2JxXRhgtPEPIzA9oxQGE94u6o8oMc/0VSNTPA1XB0=;
 b=XVZLz66AGHWluVKiRqAXgB/VTi+AGTd8X8SlnhaC3EhpG6kGtg+KByceHTrM8jI3zR
 CZ00qVJCdajP8kvoyu6ixC5T+blVIkapzdzkhIqZjtC6VGAQgLrk99uGebyKit7pjDlQ
 wAmyjfr2hQJOgdoxRixBDkZSPbhcFIk1ZNN8T0ZhwDgikhHmHXZmKPJX8HpGwJGpX45C
 brB1+wJtDQoVW5IeEA6a46LvAKgLSSJxOcVEYRaVHx6P7A9KWcVrUGTNMQy8/ixj5ErQ
 uwCj//mMH8bzjqUtq6t0rU9S71TrQGPoUGlsYfT6HgydVXBU80xaTeNohFMsHtsOjAKi
 yLxA==
X-Gm-Message-State: AOAM533kUE58IS29O//knhuX+XJHkqOGfPDMXenOU2L82h2a2842g7hF
 pYHAEArh8agmk0iGbDnUu8hprYhJZ06Mmw==
X-Google-Smtp-Source: 
 ABdhPJzi/XZ/9JnEhX/6XDvjgiR/0UZLQo5c9t12QHr1y8DNmmR5Ym3ZGjtJSdSLQqxzErbY3ZDaNw==
X-Received: by 2002:a63:e114:: with SMTP id
 z20mr38964051pgh.207.1625143304165;
 Thu, 01 Jul 2021 05:41:44 -0700 (PDT)
Received: from localhost ([203.206.29.204])
 by smtp.gmail.com with ESMTPSA id cx9sm12117689pjb.24.2021.07.01.05.41.42
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 01 Jul 2021 05:41:43 -0700 (PDT)
From: Daniel Axtens <dja@axtens.net>
To: skiboot@lists.ozlabs.org
Date: Thu,  1 Jul 2021 22:41:06 +1000
Message-Id: <20210701124106.2784003-8-dja@axtens.net>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210701124106.2784003-1-dja@axtens.net>
References: <20210701124106.2784003-1-dja@axtens.net>
MIME-Version: 1.0
Subject: [Skiboot] [PATCH 7/7] [RFC] secvar: add fuzzers
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
Cc: nick.child@ibm.com, nayna@linux.ibm.com
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
 <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Add several libfuzzer fuzzers.

To build the fuzzers: make CC=clang HOSTCC=clang fuzzers

There are 4 fuzzers all up, all in libstb/secvar/tests/

 - secvar-fuzz-db: a PK, KEK and DB key have been installed. Attempt to
   insert a random 'auth' structure as a db.

 - secvar-fuzz-dbx: a PK, KEK, and DB key have been installed. Attempt to
   insert a random 'auth' structure as a dbx.

 - secvar-fuzz-setup-mode: the databases are empty. Attempt to install a
   random 'auth' structure as a db. Attempt to install a known good KEK.

 - secvar-fuzz-pkcs7: fuzz mbedtls_pkcs7_parse_der specifically.

Each of them builds mbedtls and the edk2 code with ASAN and fuzzing
(-fsanitize=address,fuzzer-no-link)

Run them as:
libstb/secvar/test/secvar-fuzz-<whatever> <corpus dir>.

I created my starting corpus for db/dbx/setup-mode with the test data
from secvarctl, thanks Nick Child. I created the pkcs7 corpus with files
sitting on my hard drive.

TODO: this breaks building under gcc. It needs to be wrapped in some
sort of clang wrapper.

Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 core/test/stubs.c                             |  11 +-
 libstb/secvar/test/Makefile.check             |  22 ++-
 libstb/secvar/test/secvar-fuzz-db.c           |   5 +
 libstb/secvar/test/secvar-fuzz-dbx.c          |   5 +
 libstb/secvar/test/secvar-fuzz-pkcs7.c        |  23 +++
 libstb/secvar/test/secvar-fuzz-setup-mode.c   |   4 +
 libstb/secvar/test/secvar-generic-fuzz-edk2.c | 177 ++++++++++++++++++
 7 files changed, 244 insertions(+), 3 deletions(-)
 create mode 100644 libstb/secvar/test/secvar-fuzz-db.c
 create mode 100644 libstb/secvar/test/secvar-fuzz-dbx.c
 create mode 100644 libstb/secvar/test/secvar-fuzz-pkcs7.c
 create mode 100644 libstb/secvar/test/secvar-fuzz-setup-mode.c
 create mode 100644 libstb/secvar/test/secvar-generic-fuzz-edk2.c

diff --git a/core/test/stubs.c b/core/test/stubs.c
index 0e97af2494b0..17ff18587715 100644
--- a/core/test/stubs.c
+++ b/core/test/stubs.c
@@ -12,17 +12,24 @@
 #include <compiler.h>
 #include "../../ccan/list/list.c"
 
-void _prlog(int log_level __attribute__((unused)), const char* fmt, ...) __attribute__((format (printf, 2, 3)));
+void _prlog(int log_level, const char* fmt, ...) __attribute__((format (printf, 2, 3)));
 
 #ifndef pr_fmt
 #define pr_fmt(fmt) fmt
 #endif
 #define prlog(l, f, ...) do { _prlog(l, pr_fmt(f), ##__VA_ARGS__); } while(0)
 
-void _prlog(int log_level __attribute__((unused)), const char* fmt, ...)
+void _prlog(int log_level, const char* fmt, ...)
 {
         va_list ap;
 
+	(void) log_level;
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+	if (log_level >= 3) {
+		return;
+	}
+#endif
+
         va_start(ap, fmt);
         vprintf(fmt, ap);
         va_end(ap);
diff --git a/libstb/secvar/test/Makefile.check b/libstb/secvar/test/Makefile.check
index 6cb1687d3a7e..51e3e345a741 100644
--- a/libstb/secvar/test/Makefile.check
+++ b/libstb/secvar/test/Makefile.check
@@ -45,11 +45,31 @@ $(SECVAR_TEST) : % : %.c $(HOST_MBEDTLS_OBJS)
 $(SECVAR_TEST:%=%-gcov): %-gcov : %.c % $(HOST_MBEDTLS_OBJS)
 	$(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) $(HOSTGCOVCFLAGS) $(HOST_MBEDTLS_CFLAGS) -I include -I . -I libfdt -lgcov -o $@ $< $(HOST_MBEDTLS_OBJS) core/test/stubs.o, $<)
 
+SECVAR_FUZZ = $(patsubst %.c, %, $(wildcard $(SECVAR_TEST_DIR)/secvar-fuzz-*.c))
+
+.PHONY : fuzzers
+fuzzers: $(SECVAR_FUZZ)
+
+comma := ,
+
+FUZZ_MBEDTLS_OBJS=$(MBEDTLS_OBJS:%.o=$(CRYPTO_DIR)/%.fuzz.o)
+%.fuzz.o: %.c
+	$(call Q, HOSTCC , $(HOSTCC) $(HOSTCFLAGS) $(HOST_MBEDTLS_CFLAGS) -fsanitize=address$(comma)fuzzer-no-link -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -g -c -o $@ $<, $<)
+
+
+$(SECVAR_FUZZ) : core/test/stubs_fuzz.o
+core/test/stubs_fuzz.o: core/test/stubs.c
+	$(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) -fsanitize=address$(comma)fuzzer-no-link -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -g -c -o $@ $<, $<)
+
+
+$(SECVAR_FUZZ) : % : %.c $(FUZZ_MBEDTLS_OBJS)
+	$(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) $(HOST_MBEDTLS_CFLAGS) -Og -g -fsanitize=address$(comma)fuzzer -I include -I . -I libfdt -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -o $@ $< $(FUZZ_MBEDTLS_OBJS) core/test/stubs_fuzz.o, $<)
+
 -include $(wildcard libstb/secvar/test/*.d)
 
 clean: secvar-test-clean
 
 secvar-test-clean:
-	$(RM) -f libstb/secvar/test/*.[od] $(SECVAR_TEST) $(SECVAR_TEST:%=%-gcov)
+	$(RM) -f libstb/secvar/test/*.[od] $(SECVAR_TEST) $(SECVAR_TEST:%=%-gcov) $(SECVAR_FUZZ)
 	$(RM) -f libstb/secvar/test/*.gcda libstb/secvar/test/*.gcno
 	$(RM) -f secboot.img
diff --git a/libstb/secvar/test/secvar-fuzz-db.c b/libstb/secvar/test/secvar-fuzz-db.c
new file mode 100644
index 000000000000..630db677378e
--- /dev/null
+++ b/libstb/secvar/test/secvar-fuzz-db.c
@@ -0,0 +1,5 @@
+#define VAR "db"
+#define ADD_PK
+#define ADD_KEK
+#define ADD_DB
+#include "secvar-generic-fuzz-edk2.c"
\ No newline at end of file
diff --git a/libstb/secvar/test/secvar-fuzz-dbx.c b/libstb/secvar/test/secvar-fuzz-dbx.c
new file mode 100644
index 000000000000..2a3c92ba75bc
--- /dev/null
+++ b/libstb/secvar/test/secvar-fuzz-dbx.c
@@ -0,0 +1,5 @@
+#define VAR "dbx"
+#define ADD_PK
+#define ADD_KEK
+#define ADD_DB
+#include "secvar-generic-fuzz-edk2.c"
\ No newline at end of file
diff --git a/libstb/secvar/test/secvar-fuzz-pkcs7.c b/libstb/secvar/test/secvar-fuzz-pkcs7.c
new file mode 100644
index 000000000000..74b80aa6b41a
--- /dev/null
+++ b/libstb/secvar/test/secvar-fuzz-pkcs7.c
@@ -0,0 +1,23 @@
+// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+/* Copyright 2020 IBM Corp. */
+
+#define MBEDTLS_PKCS7_C
+#include "secvar_common_test.c"
+#include "../../crypto/pkcs7/pkcs7.c"
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {	
+
+	mbedtls_pkcs7 pkcs7;
+	int rc;
+
+	bzero(&pkcs7, sizeof(pkcs7));
+
+	rc = mbedtls_pkcs7_parse_der(Data, Size, &pkcs7);
+
+	if (rc >= 0)
+		mbedtls_pkcs7_free(&pkcs7);
+
+	return 0;
+}
\ No newline at end of file
diff --git a/libstb/secvar/test/secvar-fuzz-setup-mode.c b/libstb/secvar/test/secvar-fuzz-setup-mode.c
new file mode 100644
index 000000000000..614b8b729854
--- /dev/null
+++ b/libstb/secvar/test/secvar-fuzz-setup-mode.c
@@ -0,0 +1,4 @@
+#define VAR "PK"
+#define SETUP_MODE_SPECIAL
+#define RESET_VARS
+#include "secvar-generic-fuzz-edk2.c"
\ No newline at end of file
diff --git a/libstb/secvar/test/secvar-generic-fuzz-edk2.c b/libstb/secvar/test/secvar-generic-fuzz-edk2.c
new file mode 100644
index 000000000000..aa8dc479e3e0
--- /dev/null
+++ b/libstb/secvar/test/secvar-generic-fuzz-edk2.c
@@ -0,0 +1,177 @@
+// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+/* Copyright 2020 IBM Corp. */
+
+#define MBEDTLS_PKCS7_C
+#include "secvar_common_test.c"
+#include "../backend/edk2-compat.c"
+#include "../backend/edk2-compat-process.c"
+#include "../secvar_util.c"
+#include "../../crypto/pkcs7/pkcs7.c"
+#include "./data/PK.h"
+#include "./data/KEK.h"
+#include "./data/db.h"
+#include "./data/dbx.h"
+
+/* Hardcoding HW KEY HASH to avoid emulating device-tree in unit-tests. */
+const unsigned char hw_key_hash[64] = {
+0xb6, 0xdf, 0xfe, 0x75, 0x53, 0xf9, 0x2e, 0xcb, 0x2b, 0x05, 0x55, 0x35, 0xd7, 0xda, 0xfe, 0x32, \
+0x98, 0x93, 0x35, 0x1e, 0xd7, 0x4b, 0xbb, 0x21, 0x6b, 0xa0, 0x56, 0xa7, 0x1e, 0x3c, 0x0b, 0x56, \
+0x6f, 0x0c, 0x4d, 0xbe, 0x31, 0x42, 0x13, 0x68, 0xcb, 0x32, 0x11, 0x6f, 0x13, 0xbb, 0xdd, 0x9e, \
+0x4f, 0xe3, 0x83, 0x8b, 0x1c, 0x6a, 0x2e, 0x07, 0xdb, 0x95, 0x16, 0xc9, 0x33, 0xaa, 0x20, 0xef
+};
+
+int reset_keystore(struct list_head *bank __unused) { return 0; }
+int verify_hw_key_hash(void)
+{
+	return OPAL_SUCCESS;
+}
+
+
+int add_hw_key_hash(struct list_head *bank)
+{
+	struct secvar *var;
+	uint32_t hw_key_hash_size = 64;
+
+	var = new_secvar("HWKH", 5, hw_key_hash,
+			hw_key_hash_size, SECVAR_FLAG_PROTECTED);
+	list_add_tail(bank, &var->link);
+
+	return OPAL_SUCCESS;
+}
+
+int delete_hw_key_hash(struct list_head *bank)
+{
+	struct secvar *var;
+
+	var = find_secvar("HWKH", 5, bank);
+	if (!var)
+		return OPAL_SUCCESS;
+
+	list_del(&var->link);
+	dealloc_secvar(var);
+
+	return OPAL_SUCCESS;
+}
+
+const char *secvar_test_name = "edk2-compat";
+
+int secvar_set_secure_mode(void) { return 0; };
+
+static void reset_vars()
+{
+	int rc = -1;
+	struct secvar *tmp;
+
+	rc = edk2_compat_pre_process(&variable_bank, &update_bank);
+	assert(OPAL_SUCCESS == rc);
+	assert(5 == list_length(&variable_bank));
+	tmp = find_secvar("TS", 3, &variable_bank);
+	assert(NULL != tmp);
+
+#ifdef ADD_PK
+	/* Add PK to update and .process(). */
+	tmp = new_secvar("PK", 3, PK_auth, PK_auth_len, 0);
+	assert(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	assert(1 == list_length(&update_bank));
+
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	assert(OPAL_SUCCESS == rc);
+	assert(6 == list_length(&variable_bank));
+	assert(0 == list_length(&update_bank));
+	rc = edk2_compat_post_process(&variable_bank, &update_bank);
+	assert(5 == list_length(&variable_bank));
+	tmp = find_secvar("PK", 3, &variable_bank);
+	assert(NULL != tmp);
+	assert(0 != tmp->data_size);
+	assert(PK_auth_len > tmp->data_size); /* esl should be smaller without auth. */
+	assert(!setup_mode);
+#endif
+
+#ifdef ADD_KEK
+	/* Add valid KEK, .process(), succeeds. */
+	tmp = new_secvar("KEK", 4, KEK_auth, KEK_auth_len, 0);
+	assert(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	assert(1 == list_length(&update_bank));
+
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	assert(OPAL_SUCCESS == rc);
+	assert(5 == list_length(&variable_bank));
+	assert(0 == list_length(&update_bank));
+	tmp = find_secvar("KEK", 4, &variable_bank);
+	assert(NULL != tmp);
+	assert(0 != tmp->data_size);
+#endif
+
+#ifdef ADD_DB
+	/* Add db, .process(), should succeed. */
+	tmp = new_secvar("db", 3, DB_auth, DB_auth_len, 0);
+	assert(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	assert(1 == list_length(&update_bank));
+
+	rc = edk2_compat_process(&variable_bank, &update_bank);
+	assert(OPAL_SUCCESS == rc);
+	assert(5 == list_length(&variable_bank));
+	assert(0 == list_length(&update_bank));
+	tmp = find_secvar("db", 3, &variable_bank);
+	assert(NULL != tmp);
+	assert(0 != tmp->data_size);
+#endif
+}
+
+static void init()
+{
+	static bool inited = false;
+
+	if (inited)
+		return;
+
+	list_head_init(&variable_bank);
+	list_head_init(&update_bank);
+
+	secvar_storage.max_var_size = 4096;
+
+	reset_vars();
+
+	inited = true;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {	
+	struct secvar *tmp;
+
+	init();
+
+	tmp = new_secvar(VAR, sizeof (VAR), Data, Size, 0);
+	if (!tmp)
+		return 0;
+
+	if (0 != edk2_compat_validate(tmp)) {
+		dealloc_secvar(tmp);
+		return 0;
+	}
+
+	list_add_tail(&update_bank, &tmp->link);
+	assert(1 == list_length(&update_bank));
+
+	edk2_compat_process(&variable_bank, &update_bank);
+
+#ifdef SETUP_MODE_SPECIAL
+	tmp = new_secvar("KEK", 4, KEK_auth, KEK_auth_len, 0);
+	assert(0 == edk2_compat_validate(tmp));
+	list_add_tail(&update_bank, &tmp->link);
+	assert(1 == list_length(&update_bank));
+	edk2_compat_process(&variable_bank, &update_bank);
+#endif
+
+#ifdef RESET_VARS
+	clear_bank_list(&variable_bank);
+	reset_vars();
+#endif
+
+	clear_bank_list(&update_bank);
+	return 0;
+}
\ No newline at end of file