CR50: fix uninitialized buffer size in _cpri__SignRSA

The TPM2 wrapper library does not initialize the
size of an output buffer length prior to calling
into cr50/tpm2.  This results in arbitrary failures
depending on memory layout.

Force the buffer length unseen, though this should
be fixed in the TPM2 library.

BRANCH=none
BUG=chrome-os-partner:43025,chrome-os-partner:47524
BUG=chrome-os-partner:50115,chrome-os-partner:55260
TEST=test full personalize + cros_ack verify cert flow
TEST=CPCTPM_TC2_2_20_02_03 passes, which was consistently failing

Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/360908
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
(cherry picked from commit 635cb7ada25e76e504087916364e2db08a2133ab)
Change-Id: I90e9b4d76986ffa27acc944e48afc2efaadad7cd
Reviewed-on: https://chromium-review.googlesource.com/362116
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>

1 files changed, 2 insertions, 0 deletions

diff --git a/board/cr50/tpm2/rsa.c b/board/cr50/tpm2/rsa.c
index f39735db36..6ee310dbce 100644
--- a/board/cr50/tpm2/rsa.c
+++ b/board/cr50/tpm2/rsa.c
@@ -164,6 +164,8 @@ CRYPT_RESULT _cpri__SignRSA(uint32_t *out_len, uint8_t *out,
 	rsa.d.dmax = key->privateKey->size / sizeof(uint32_t);
 	rsa.d.d = (struct access_helper *) &key->privateKey->buffer;
 
+	/* TPM2 wrapper function fails to initialize out_len! */
+	*out_len = key->publicKey->size;
 	result = DCRYPTO_rsa_sign(&rsa, out, out_len, in, in_len,
 				padding, hashing);