diff options
| author | Bill Richardson <wfrichar@chromium.org> | 2012-07-13 12:38:11 -0700 |
|---|---|---|
| committer | Gerrit <chrome-bot@google.com> | 2012-07-13 15:24:18 -0700 |
| commit | 114b7010b610e518072dd1e2d8563a08a026f192 (patch) | |
| tree | 2675a50e9aaeed9fceba6d0bc018fd9a7ea9deb5 /common/vboot_hash.c | |
| parent | 1b02654e625a931e03191aa17d4c7be19ba8798e (diff) | |
| download | chrome-ec-114b7010b610e518072dd1e2d8563a08a026f192.tar.gz | |
Security fix: bounds check in vboot_hash_start()
Changed the parameters from int to uint32_t (which is how it was called
anyway).
BUG=chrome-os-partner:11045
TEST=manual
No visible change. Nothing should break.
Change-Id: I4fbe34f67df7d37f5039987a7a89e626916d6eb6
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/27382
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Diffstat (limited to 'common/vboot_hash.c')
| -rw-r--r-- | common/vboot_hash.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/common/vboot_hash.c b/common/vboot_hash.c index 47b860111c..6feba42229 100644 --- a/common/vboot_hash.c +++ b/common/vboot_hash.c @@ -30,9 +30,9 @@ struct vboot_hash_tag { #define VBOOT_HASH_SYSJUMP_VERSION 1 #define CHUNK_SIZE 1024 -static int data_offset; -static int data_size; -static int curr_pos; +static uint32_t data_offset; +static uint32_t data_size; +static uint32_t curr_pos; static const uint8_t *hash; /* Hash, or NULL if not valid */ static int want_abort; @@ -53,8 +53,8 @@ static int vboot_hash_in_progress(void) * If nonce_size is non-zero, prefixes the <nonce> onto the data to be * hashed. Returns non-zero if error. */ -static int vboot_hash_start(int offset, int size, const uint8_t *nonce, - int nonce_size) +static int vboot_hash_start(uint32_t offset, uint32_t size, + const uint8_t *nonce, int nonce_size) { /* Fail if hash computation is already in progress */ if (vboot_hash_in_progress()) @@ -65,7 +65,7 @@ static int vboot_hash_start(int offset, int size, const uint8_t *nonce, * command to peek at other memory. */ if (offset > CONFIG_FLASH_SIZE || size > CONFIG_FLASH_SIZE || - offset + size > CONFIG_FLASH_SIZE) { + offset + size > CONFIG_FLASH_SIZE || nonce_size < 0) { return EC_ERROR_INVAL; } @@ -187,8 +187,8 @@ DECLARE_HOOK(HOOK_SYSJUMP, vboot_hash_preserve_state, HOOK_PRIO_DEFAULT); static int command_hash(int argc, char **argv) { - int offset = CONFIG_FW_A_OFF - CONFIG_FLASH_BASE; - int size = CONFIG_FW_A_SIZE; + uint32_t offset = CONFIG_FW_A_OFF - CONFIG_FLASH_BASE; + uint32_t size = CONFIG_FW_A_SIZE; char *e; if (argc == 2 && !strcasecmp(argv[1], "abort")) { |