CBI: Validate data size of input from host

Currently, the size of input data is not verified. This can cause read overflow in cbi_set_data. This patch makes the host command handler validate the input data size. BUG=chromium:1114458 BRANCH=none TEST=cros_fuzz --board=amd64-generic reproduce \ --fuzzer ec_host_command_fuzzer \ --testcase ...ec_host_command_fuzzer-5111452783935488 \ --package chromeos-ec --build-type asan Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Change-Id: Ia3e03cd6bb857e0fa594de9d8cc66d8788d6dcd8 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2378203 Reviewed-by: Jett Rink <jettrink@chromium.org>
author: Daisuke Nojiri <dnojiri@chromium.org> 2020-08-26 12:25:40 -0700
committer: Commit Bot <commit-bot@chromium.org> 2020-08-27 01:03:12 +0000
commit: 9de8df970c9b04947c2a65cc8c45a4b4a894085d (patch)
tree: 2f1b2772a8b2d33528a40438e311c6a8faee33bc
parent: 5b647f412436dc60bb8523c11cd2ff107890b9f6 (diff)
download: chrome-ec-9de8df970c9b04947c2a65cc8c45a4b4a894085d.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/common/cbi.c b/common/cbi.c
index e30e35aad3..c6fa213807 100644
--- a/common/cbi.c
+++ b/common/cbi.c
@@ -391,6 +391,10 @@ static enum ec_status hc_cbi_set(struct host_cmd_handler_args *args)
 			return EC_RES_ERROR;
 	}
 
+	/* Given data size exceeds the packet size. */
+	if (args->params_size < sizeof(*p) + p->size)
+		return EC_RES_INVALID_PARAM;
+
 	if (cbi_set_board_info(p->tag, p->data, p->size))
 		return EC_RES_INVALID_PARAM;
author	Daisuke Nojiri <dnojiri@chromium.org>	2020-08-26 12:25:40 -0700
committer	Commit Bot <commit-bot@chromium.org>	2020-08-27 01:03:12 +0000
commit	9de8df970c9b04947c2a65cc8c45a4b4a894085d (patch)
tree	2f1b2772a8b2d33528a40438e311c6a8faee33bc
parent	5b647f412436dc60bb8523c11cd2ff107890b9f6 (diff)
download	chrome-ec-9de8df970c9b04947c2a65cc8c45a4b4a894085d.tar.gz