Merge "platform: msm_shared: add buffer overread check" into lk.lnx.1.0-dev.1.0
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index 5f1b5ff..7564319 100644
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c
@@ -2521,7 +2521,7 @@
fastboot_fail("unlock device to flash keystore");
return;
}
- if(!boot_verify_validate_keystore((unsigned char *)data))
+ if(!boot_verify_validate_keystore((unsigned char *)data,sz))
{
fastboot_fail("image is not a keystore file");
return;
diff --git a/platform/msm_shared/boot_verifier.c b/platform/msm_shared/boot_verifier.c
index 9c80839..12488a9 100644
--- a/platform/msm_shared/boot_verifier.c
+++ b/platform/msm_shared/boot_verifier.c
@@ -96,14 +96,14 @@
} ASN1_SEQUENCE_END(KEYSTORE)
IMPLEMENT_ASN1_FUNCTIONS(KEYSTORE)
-static uint32_t read_der_message_length(unsigned char* input)
+static uint32_t read_der_message_length(unsigned char* input, unsigned sz)
{
uint32_t len = 0;
- int pos = 0;
+ uint32_t pos = 0;
uint8_t len_bytes = 1;
/* Check if input starts with Sequence id (0X30) */
- if(input[pos] != 0x30)
+ if(sz < 3 || input[pos] != 0x30)
return len;
pos++;
@@ -132,7 +132,7 @@
}
/* Read next octet */
- if (pos < (int) ASN1_SIGNATURE_BUFFER_SZ)
+ if (pos < (uint32_t) ASN1_SIGNATURE_BUFFER_SZ && pos < sz)
len = len | input[pos];
else
{
@@ -550,7 +550,7 @@
/* Copy the signature from scratch memory to buffer */
memcpy(signature, sig_addr, ASN1_SIGNATURE_BUFFER_SZ);
- sig_len = read_der_message_length(signature);
+ sig_len = read_der_message_length(signature, ASN1_SIGNATURE_BUFFER_SZ);
if(!sig_len)
{
@@ -646,12 +646,12 @@
}
}
-bool boot_verify_validate_keystore(unsigned char * user_addr)
+bool boot_verify_validate_keystore(unsigned char * user_addr, unsigned sz)
{
bool ret = false;
unsigned char *input = user_addr;
KEYSTORE *ks = NULL;
- uint32_t len = read_der_message_length(input);
+ uint32_t len = read_der_message_length(input, sz);
if(!len)
{
dprintf(CRITICAL, "boot_verifier: keystore length is invalid.\n");
diff --git a/platform/msm_shared/include/boot_verifier.h b/platform/msm_shared/include/boot_verifier.h
index c40a435..485cc3c 100644
--- a/platform/msm_shared/include/boot_verifier.h
+++ b/platform/msm_shared/include/boot_verifier.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -172,7 +172,7 @@
/* Print current boot state */
void boot_verify_print_state();
/* Function to validate keystore */
-bool boot_verify_validate_keystore(unsigned char * user_addr);
+bool boot_verify_validate_keystore(unsigned char * user_addr, unsigned sz);
/* Function to send root of trust to trust zone */
bool send_rot_command(uint32_t is_unlocked);
unsigned char* get_boot_fingerprint(unsigned int* buf_size);