diff options
| author | Julius Werner <jwerner@chromium.org> | 2023-05-03 19:02:09 -0700 |
|---|---|---|
| committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2023-05-13 04:23:49 +0000 |
| commit | e34cc1be6c526187fee9349246b811fb8018a3c7 (patch) | |
| tree | 2c221ecd7b1d0bece8288f6ca9e223b2b709b663 | |
| parent | 4634d58ac99d495ecba149386a20c6be68e95157 (diff) | |
| download | vboot-e34cc1be6c526187fee9349246b811fb8018a3c7.tar.gz | |
Add checks for a few minor overflow risks
This patch fixes a few locations where specific maliciously crafted
input could cause an arithmetic overflow to bypass a size check. In none
of those instances is the data being parsed actually untrusted for our
use case, so there was no real security risk here. This is just extra
hardening.
BUG=chromium:1441030,b:280378929
TEST=Booted CoachZ
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I65f2d483f1e67686b7a22f0f7eb3ce5c3eabfdfa
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4505019
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
| -rw-r--r-- | firmware/2lib/2packed_key.c | 2 | ||||
| -rw-r--r-- | firmware/2lib/2rsa.c | 2 | ||||
| -rw-r--r-- | futility/misc.c | 8 |
3 files changed, 6 insertions, 6 deletions
diff --git a/firmware/2lib/2packed_key.c b/firmware/2lib/2packed_key.c index c9e602a2..d6b50417 100644 --- a/firmware/2lib/2packed_key.c +++ b/firmware/2lib/2packed_key.c @@ -48,7 +48,7 @@ vb2_error_t vb2_unpack_key_buffer(struct vb2_public_key *key, /* Validity check key array size */ key->arrsize = buf32[0]; - if (key->arrsize * sizeof(uint32_t) != vb2_rsa_sig_size(key->sig_alg)) + if ((uint64_t)key->arrsize * sizeof(uint32_t) != vb2_rsa_sig_size(key->sig_alg)) return VB2_ERROR_UNPACK_KEY_ARRAY_SIZE; key->n0inv = buf32[1]; diff --git a/firmware/2lib/2rsa.c b/firmware/2lib/2rsa.c index 7d04dbc0..e360f1b1 100644 --- a/firmware/2lib/2rsa.c +++ b/firmware/2lib/2rsa.c @@ -356,7 +356,7 @@ vb2_error_t vb2_rsa_verify_digest(const struct vb2_public_key *key, /* Signature length should be same as key length */ key_bytes = key->arrsize * sizeof(uint32_t); - if (key_bytes != sig_size) { + if (key_bytes != sig_size || key->arrsize > key_bytes) { VB2_DEBUG("Signature is of incorrect length!\n"); return VB2_ERROR_RSA_VERIFY_SIG_LEN; } diff --git a/futility/misc.c b/futility/misc.c index 3f3fb656..d56928b5 100644 --- a/futility/misc.c +++ b/futility/misc.c @@ -109,7 +109,7 @@ int futil_valid_gbb_header(struct vb2_gbb_header *gbb, uint32_t len, return 0; if (gbb->hwid_offset < EXPECTED_VB2_GBB_HEADER_SIZE) return 0; - if (gbb->hwid_offset + gbb->hwid_size > len) + if ((uint64_t)gbb->hwid_offset + gbb->hwid_size > len) return 0; if (gbb->hwid_size) { const char *s = (const char *) @@ -119,16 +119,16 @@ int futil_valid_gbb_header(struct vb2_gbb_header *gbb, uint32_t len, } if (gbb->rootkey_offset < EXPECTED_VB2_GBB_HEADER_SIZE) return 0; - if (gbb->rootkey_offset + gbb->rootkey_size > len) + if ((uint64_t)gbb->rootkey_offset + gbb->rootkey_size > len) return 0; if (gbb->bmpfv_offset < EXPECTED_VB2_GBB_HEADER_SIZE) return 0; - if (gbb->bmpfv_offset + gbb->bmpfv_size > len) + if ((uint64_t)gbb->bmpfv_offset + gbb->bmpfv_size > len) return 0; if (gbb->recovery_key_offset < EXPECTED_VB2_GBB_HEADER_SIZE) return 0; - if (gbb->recovery_key_offset + gbb->recovery_key_size > len) + if ((uint64_t)gbb->recovery_key_offset + gbb->recovery_key_size > len) return 0; /* Seems legit... */ |