diff options
author | Nicolas Boichat <drinkcat@chromium.org> | 2018-06-23 09:31:54 +0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-06-27 22:07:47 -0700 |
commit | f8d042c8212c8186f07ef913395d29871db68f38 (patch) | |
tree | c34127c40c3c4c042761756940f6e8eea0896d2e | |
parent | 2d94ff98bb34021560f7a04df09cacadee55fccf (diff) | |
download | chrome-ec-f8d042c8212c8186f07ef913395d29871db68f38.tar.gz |
host_command: read_test/memmap: Fix response buffer overflow
host_command_read_test/memmap expect to have at least 128 bytes
available in response buffer, _after_ ec_host_response header.
However, in the fuzzing test, we only use a 128 bytes response
buffer, and set response_max to 128, correctly.
host_packet_receive correctly computes the response payload
size (i.e. 120 bytes):
args0.response_max = pkt->response_max - sizeof(struct ec_host_response);
But then host_command_read_test/memmap ignore response_max, and
overflows that response buffer.
BRANCH=none
BUG=chromium:855972
TEST=make buildfuzztests -j
echo AwMAAAMLxv0AgA== | base64 -d > crash
ASAN_OPTIONS="log_path=stderr" \
build/host/host_command_fuzz/host_command_fuzz.exe ./crash
echo AwcAAAAAeg== | base64 -d > crash
Call fuzzer again.
Change-Id: I1344842764a07f09546f3b0533b3ce154eff2732
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1116200
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
-rw-r--r-- | common/host_command.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/common/host_command.c b/common/host_command.c index f80f43a4c5..a2aab15a31 100644 --- a/common/host_command.c +++ b/common/host_command.c @@ -506,7 +506,7 @@ static int host_command_read_test(struct host_cmd_handler_args *args) int size = p->size / sizeof(uint32_t); int i; - if (size > ARRAY_SIZE(r->data)) + if (size > ARRAY_SIZE(r->data) || p->size > args->response_size) return EC_RES_ERROR; for (i = 0; i < size; i++) @@ -534,7 +534,7 @@ static int host_command_read_memmap(struct host_cmd_handler_args *args) uint8_t size = p->size; if (size > EC_MEMMAP_SIZE || offset > EC_MEMMAP_SIZE || - offset + size > EC_MEMMAP_SIZE) + offset + size > EC_MEMMAP_SIZE || size > args->response_size) return EC_RES_INVALID_PARAM; /* Make sure switch data is initialized */ |