From patchwork Fri May 27 20:36:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Reza Arbab X-Patchwork-Id: 1636525 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256 header.s=pp1 header.b=QzPQuVZq; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org; envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org; receiver=) Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4L8xV31xY3z9sBF for ; Sat, 28 May 2022 06:38:50 +1000 (AEST) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4L8xV22dZpz3bmH for ; Sat, 28 May 2022 06:38:50 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256 header.s=pp1 header.b=QzPQuVZq; dkim-atps=neutral X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=arbab@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256 header.s=pp1 header.b=QzPQuVZq; dkim-atps=neutral Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4L8xTv5NBKz3blZ for ; Sat, 28 May 2022 06:38:43 +1000 (AEST) Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 24RJxDo9027057 for ; Fri, 27 May 2022 20:38:37 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding; s=pp1; bh=Rob9zl1rnsFO/iFbUF9Nngd2MM5+tog40f5TsAMUBdM=; b=QzPQuVZq1x4QycyRsFtFuLviRWqduEx0vqYDIBkkXKMwATkejEUOXqooCBapLLrLWrnf 3MiOgvCialJnyGRITYZ8BTCD++iqrYxxjKp+/ntSKqFZIu+TEFIN/8ZkWyopO/kE5//r 24u24Wn+WjeOuUlP5iZPdZULyRKURpgIuMgrhR2C8ER1WZuHTpwedamMZKy7o4VOAe8L /0SjnkypNydsnOPB2URCpBvjFcLGQ1LqQfMmFUYRnv7UNv5DTDWReisXaPHaRHA8SgG0 yO5UkZJBUh6NyBrrPjW2Rv3OYt9+qQOu6xTAr95b7KZ37wViN5DtXLLJHAIbGABSuxW4 qA== Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.11]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3gb59kgmkc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 27 May 2022 20:38:37 +0000 Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1]) by ppma03dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 24RKcDuc024347 for ; Fri, 27 May 2022 20:38:36 GMT Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by ppma03dal.us.ibm.com with ESMTP id 3g93uu3pqb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 27 May 2022 20:38:36 +0000 Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 24RKcZhF19661238 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 27 May 2022 20:38:35 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2810AAC05F; Fri, 27 May 2022 20:38:35 +0000 (GMT) Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DA61DAC06C; Fri, 27 May 2022 20:38:34 +0000 (GMT) Received: from arbab-laptop.localdomain (unknown [9.160.47.137]) by b01ledav006.gho.pok.ibm.com (Postfix) with SMTP; Fri, 27 May 2022 20:38:34 +0000 (GMT) Received: by arbab-laptop.localdomain (Postfix, from userid 152845) id 9E3A32A6A40; Fri, 27 May 2022 15:36:54 -0500 (CDT) From: Reza Arbab To: skiboot@lists.ozlabs.org Date: Fri, 27 May 2022 15:36:51 -0500 Message-Id: <20220527203651.258780-1-arbab@linux.ibm.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: bcsICID8JEZoeVaAm_WwWWrTCEWfkemI X-Proofpoint-GUID: bcsICID8JEZoeVaAm_WwWWrTCEWfkemI X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.874,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-05-27_06,2022-05-27_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 malwarescore=0 adultscore=0 spamscore=0 bulkscore=0 mlxlogscore=999 lowpriorityscore=0 clxscore=1015 phishscore=0 suspectscore=0 priorityscore=1501 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2205270099 Subject: [Skiboot] [PATCH v2] libstb: Fix memcpy overread in fakenv_readpublic() X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" Caught by `make check` on fedora-rawhide (GCC 12): libstb/secvar/test/../storage/fakenv_ops.c: In function 'fakenv_readpublic': libstb/secvar/test/../storage/fakenv_ops.c:155:17: error: 'memcpy' reading 134 bytes from a region of size 34 [-Werror=stringop-overread] 155 | memcpy(&nv_name->t.name, tpmnv_vars_name, sizeof(TPM2B_NAME)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from libstb/secvar/test/secvar-test-secboot-tpm.c:5: libstb/secvar/test/../storage/secboot_tpm.c:35:15: note: source object 'tpmnv_vars_name' of size 34 35 | const uint8_t tpmnv_vars_name[] = { | ^~~~~~~~~~~~~~~ libstb/secvar/test/../storage/fakenv_ops.c:158:17: error: 'memcpy' reading 134 bytes from a region of size 34 [-Werror=stringop-overread] 158 | memcpy(&nv_name->t.name, tpmnv_control_name, sizeof(TPM2B_NAME)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ libstb/secvar/test/../storage/secboot_tpm.c:41:15: note: source object 'tpmnv_control_name' of size 34 41 | const uint8_t tpmnv_control_name[] = { | ^~~~~~~~~~~~~~~~~~ The source and destination of each memcpy have known sizes, and we are copying the smaller buffer into the larger one, so change the memcpy size to that of the smaller buffer. Signed-off-by: Reza Arbab --- libstb/secvar/storage/fakenv_ops.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libstb/secvar/storage/fakenv_ops.c b/libstb/secvar/storage/fakenv_ops.c index 224ac2a5de7d..07ab98996cfb 100644 --- a/libstb/secvar/storage/fakenv_ops.c +++ b/libstb/secvar/storage/fakenv_ops.c @@ -152,10 +152,10 @@ static int fakenv_readpublic(TPMI_RH_NV_INDEX index, TPMS_NV_PUBLIC *nv_public, switch (index) { case SECBOOT_TPMNV_VARS_INDEX: - memcpy(&nv_name->t.name, tpmnv_vars_name, sizeof(TPM2B_NAME)); + memcpy(&nv_name->t.name, tpmnv_vars_name, sizeof(tpmnv_vars_name)); break; case SECBOOT_TPMNV_CONTROL_INDEX: - memcpy(&nv_name->t.name, tpmnv_control_name, sizeof(TPM2B_NAME)); + memcpy(&nv_name->t.name, tpmnv_control_name, sizeof(tpmnv_control_name)); break; default: return OPAL_INTERNAL_ERROR;