From f8d042c8212c8186f07ef913395d29871db68f38 Mon Sep 17 00:00:00 2001 From: Nicolas Boichat Date: Sat, 23 Jun 2018 09:31:54 +0800 Subject: host_command: read_test/memmap: Fix response buffer overflow host_command_read_test/memmap expect to have at least 128 bytes available in response buffer, _after_ ec_host_response header. However, in the fuzzing test, we only use a 128 bytes response buffer, and set response_max to 128, correctly. host_packet_receive correctly computes the response payload size (i.e. 120 bytes): args0.response_max = pkt->response_max - sizeof(struct ec_host_response); But then host_command_read_test/memmap ignore response_max, and overflows that response buffer. BRANCH=none BUG=chromium:855972 TEST=make buildfuzztests -j echo AwMAAAMLxv0AgA== | base64 -d > crash ASAN_OPTIONS="log_path=stderr" \ build/host/host_command_fuzz/host_command_fuzz.exe ./crash echo AwcAAAAAeg== | base64 -d > crash Call fuzzer again. Change-Id: I1344842764a07f09546f3b0533b3ce154eff2732 Signed-off-by: Nicolas Boichat Reviewed-on: https://chromium-review.googlesource.com/1116200 Reviewed-by: Vincent Palatin --- common/host_command.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'common/host_command.c') diff --git a/common/host_command.c b/common/host_command.c index f80f43a4c5..a2aab15a31 100644 --- a/common/host_command.c +++ b/common/host_command.c @@ -506,7 +506,7 @@ static int host_command_read_test(struct host_cmd_handler_args *args) int size = p->size / sizeof(uint32_t); int i; - if (size > ARRAY_SIZE(r->data)) + if (size > ARRAY_SIZE(r->data) || p->size > args->response_size) return EC_RES_ERROR; for (i = 0; i < size; i++) @@ -534,7 +534,7 @@ static int host_command_read_memmap(struct host_cmd_handler_args *args) uint8_t size = p->size; if (size > EC_MEMMAP_SIZE || offset > EC_MEMMAP_SIZE || - offset + size > EC_MEMMAP_SIZE) + offset + size > EC_MEMMAP_SIZE || size > args->response_size) return EC_RES_INVALID_PARAM; /* Make sure switch data is initialized */ -- cgit v1.2.1