Initalize the recovery message ISSUE: There are uninitialized memory buffers when processing fastboot commands causing information disclosure leading to a general bypass for a defense in depth or exploit mitigation technology in a privileged process the TCB or the TEE. This patch initializes each allocation of struct recovery_message to 0. FPIIM-2015 Change-Id: I168ac218e0c75336f2aab51df00955035f3cf162

commit: 39f68db6e2f098fe600769e8a60a91340d507d30 [log] [tgz]
author: Dirk Vogt <dirk@fairphone.com> Mon Oct 16 15:05:11 2017 +0200
committer: Borjan Tchakaloff <borjan@fairphone.com> Thu Oct 19 08:32:48 2017 +0000
tree: 75b6994896579ff83fa834970d80976e7c65c42a
parent: 87f6ac005aa39fd22983512a21b029ca4a376c42 [diff]
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index 183f9a4..1c8b989 100755
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c

@@ -2303,6 +2303,7 @@
 void cmd_oem_lock(const char *arg, void *data, unsigned sz)
 {
 	struct recovery_message msg;
+	memset(&msg, 0, sizeof(msg));
 	if(device.is_unlocked)
 	{
 		device.is_unlocked = 0;
@@ -2324,6 +2325,7 @@
 		device.is_unlocked = 1;
 		write_device_info(&device);
 		struct recovery_message msg;
+		memset(&msg, 0, sizeof(msg));
 		snprintf(msg.recovery, sizeof(msg.recovery), "recovery\n--wipe_data");
 		write_misc(0, &msg, sizeof(msg));
commit	39f68db6e2f098fe600769e8a60a91340d507d30	[log] [tgz]
author	Dirk Vogt <dirk@fairphone.com>	Mon Oct 16 15:05:11 2017 +0200
committer	Borjan Tchakaloff <borjan@fairphone.com>	Thu Oct 19 08:32:48 2017 +0000
tree	75b6994896579ff83fa834970d80976e7c65c42a
parent	87f6ac005aa39fd22983512a21b029ca4a376c42 [diff]