diff options
| author | Sam McNally <sammc@chromium.org> | 2022-09-13 19:56:29 +1000 |
|---|---|---|
| committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2022-09-14 04:13:26 +0000 |
| commit | 84cad1fa91794e6b109dc251b4b6bb62bc8d480c (patch) | |
| tree | 0f1da32b3e123074b0f5117acf39d81c519c154c | |
| parent | 0bfa5127e984b7ec0760d98f98fbcaea96b22b61 (diff) | |
| download | chrome-ec-84cad1fa91794e6b109dc251b4b6bb62bc8d480c.tar.gz | |
gsctool: Size TPM update request packets to fit the max block size.
tpm_send_pkt() uses a static buffer sized to MAX_BUF_SIZE. When updating
via the TPM interface transfer_section() calls tpm_send_pkt() with a
data size bounded by SIGNED_TRANSFER_SIZE. tpm_send_pkt() copies the
data into its static buffer, with a 20 byte offset to leave space for
the header.
MAX_BUF_SIZE is 500 and SIGNED_TRANSFER_SIZE is 1024, so this overflows
by 544 bytes. The build options for gsctool have recently changed to
adopt the fortified version of memcpy, which now detects this buffer
overflow.
Split MAX_BUF_SIZE into MAX_RX_BUF_SIZE and MAX_TX_BUF_SIZE, increasing
MAX_TX_BUF_SIZE to fit update packets.
BUG=b:246212506
TEST=gsctool -a /opt/google/ti50/firmware/ti50.bin.prepvt succeeds
make buildall -j
Change-Id: I5180d8ec72a03feaeba9226c9c2f2faad29ae38a
Signed-off-by: Sam McNally <sammc@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3893949
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
| -rw-r--r-- | extra/usb_updater/gsctool.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/extra/usb_updater/gsctool.c b/extra/usb_updater/gsctool.c index be5f6309a3..c2e189dea4 100644 --- a/extra/usb_updater/gsctool.c +++ b/extra/usb_updater/gsctool.c @@ -327,7 +327,12 @@ static void sha_final_into_block_digest(union sha_ctx *ctx, void *block_digest, * This by far exceeds the largest vendor command response size we ever * expect. */ -#define MAX_BUF_SIZE 500 +#define MAX_RX_BUF_SIZE 500 + +/* + * Maximum update payload block size plus packet header size. + */ +#define MAX_TX_BUF_SIZE (SIGNED_TRANSFER_SIZE + sizeof(struct upgrade_pkt)) /* * Max. length of the board ID string representation. @@ -594,7 +599,7 @@ static int tpm_send_pkt(struct transfer_descriptor *td, unsigned int digest, uint16_t subcmd) { /* Used by transfer to /dev/tpm0 */ - static uint8_t outbuf[MAX_BUF_SIZE]; + static uint8_t outbuf[MAX_TX_BUF_SIZE]; struct upgrade_pkt *out = (struct upgrade_pkt *)outbuf; int len, done; int response_offset = offsetof(struct upgrade_pkt, command.data); @@ -1574,7 +1579,7 @@ uint32_t send_vendor_command(struct transfer_descriptor *td, * to be stripped from the actual response body by this * function. */ - uint8_t temp_response[MAX_BUF_SIZE]; + uint8_t temp_response[MAX_RX_BUF_SIZE]; size_t max_response_size; if (!response_size) { |