Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / lk / c7313cc6de38a566fc9db05c892cc69482014b96^! / . / platform
commitc7313cc6de38a566fc9db05c892cc69482014b96[log] [tgz]
authorGaurav Nebhwani <gauravn@codeaurora.org>Tue Dec 15 22:25:04 2015 +0530
committerGerrit - the friendly Code Review server <code-review@localhost>Thu Mar 17 04:14:25 2016 -0700
tree43737c383f909244b2ac1c26899e2b2909b768f2
parent80cab499a78a31f050135cb722aa6912a27d0d89 [diff]
platform: msm_shared: add buffer overread check

read_der_message_length assumes the size of input buffer itself
but this function is called by multiple functions that might have
different buffer size, so length of buffer is passed as a parameter
and added in the check.

Change-Id: I789a39fa670a3c191e6ea8e01bacc1221b472bf0

diff --git a/platform/msm_shared/boot_verifier.c b/platform/msm_shared/boot_verifier.c
index 9c80839..12488a9 100644
--- a/platform/msm_shared/boot_verifier.c
+++ b/platform/msm_shared/boot_verifier.c

@@ -96,14 +96,14 @@
 	} ASN1_SEQUENCE_END(KEYSTORE)
 IMPLEMENT_ASN1_FUNCTIONS(KEYSTORE)
 
-static uint32_t read_der_message_length(unsigned char* input)
+static uint32_t read_der_message_length(unsigned char* input, unsigned sz)
 {
 	uint32_t len = 0;
-	int pos = 0;
+	uint32_t pos = 0;
 	uint8_t len_bytes = 1;
 
 	/* Check if input starts with Sequence id (0X30) */
-	if(input[pos] != 0x30)
+	if(sz < 3 || input[pos] != 0x30)
 		return len;
 	pos++;
 
@@ -132,7 +132,7 @@
 		}
 
 		/* Read next octet */
-		if (pos < (int) ASN1_SIGNATURE_BUFFER_SZ)
+		if (pos < (uint32_t) ASN1_SIGNATURE_BUFFER_SZ && pos < sz)
 			len = len | input[pos];
 		else
 		{
@@ -550,7 +550,7 @@
 
 	/* Copy the signature from scratch memory to buffer */
 	memcpy(signature, sig_addr, ASN1_SIGNATURE_BUFFER_SZ);
-	sig_len = read_der_message_length(signature);
+	sig_len = read_der_message_length(signature, ASN1_SIGNATURE_BUFFER_SZ);
 
 	if(!sig_len)
 	{
@@ -646,12 +646,12 @@
 	}
 }
 
-bool boot_verify_validate_keystore(unsigned char * user_addr)
+bool boot_verify_validate_keystore(unsigned char * user_addr, unsigned sz)
 {
 	bool ret = false;
 	unsigned char *input = user_addr;
 	KEYSTORE *ks = NULL;
-	uint32_t len = read_der_message_length(input);
+	uint32_t len = read_der_message_length(input, sz);
 	if(!len)
 	{
 		dprintf(CRITICAL, "boot_verifier: keystore length is invalid.\n");

diff --git a/platform/msm_shared/include/boot_verifier.h b/platform/msm_shared/include/boot_verifier.h
index c40a435..485cc3c 100644
--- a/platform/msm_shared/include/boot_verifier.h
+++ b/platform/msm_shared/include/boot_verifier.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
@@ -172,7 +172,7 @@
 /* Print current boot state */
 void boot_verify_print_state();
 /* Function to validate keystore */
-bool boot_verify_validate_keystore(unsigned char * user_addr);
+bool boot_verify_validate_keystore(unsigned char * user_addr, unsigned sz);
 /* Function to send root of trust to trust zone */
 bool send_rot_command(uint32_t is_unlocked);
 unsigned char* get_boot_fingerprint(unsigned int* buf_size);