diff options
| author | Jit Loon Lim <jit.loon.lim@intel.com> | 2022-09-13 10:24:04 +0800 |
|---|---|---|
| committer | Varun Wadekar <vwadekar@nvidia.com> | 2023-02-03 17:18:51 +0000 |
| commit | 2b2eaf1d96255f5e56cf8469e98ee77631b0bcda (patch) | |
| tree | 1d8ce38ca78b9f5c063762f37ae69c6bc45239c8 | |
| parent | c06124dadc10a4cdc63772483921810dbc3f4b95 (diff) | |
| download | arm-trusted-firmware-2b2eaf1d96255f5e56cf8469e98ee77631b0bcda.tar.gz | |
fix(intel): fix fcs_client crashed when increased param size
No overflow buffer checking for param size. There is a security threat.
Update code to check for param size according to cryto param mode.
Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
Change-Id: I37a2d047edd9ff835b3f0986d85309c402887bef
(cherry picked from commit c42402cdf8a3dfc6f6e62a92b2898066e8cc46f6)
| -rw-r--r-- | plat/intel/soc/common/include/socfpga_fcs.h | 8 | ||||
| -rw-r--r-- | plat/intel/soc/common/sip/socfpga_sip_fcs.c | 23 |
2 files changed, 31 insertions, 0 deletions
diff --git a/plat/intel/soc/common/include/socfpga_fcs.h b/plat/intel/soc/common/include/socfpga_fcs.h index 893551de3..91e00361b 100644 --- a/plat/intel/soc/common/include/socfpga_fcs.h +++ b/plat/intel/soc/common/include/socfpga_fcs.h @@ -84,6 +84,14 @@ #define FCS_ECDSA_HASH_SIGN_CMD_MAX_WORD_SIZE 17U #define FCS_ECDSA_HASH_SIG_VERIFY_CMD_MAX_WORD_SIZE 52U #define FCS_ECDH_REQUEST_CMD_MAX_WORD_SIZE 29U + +#define FCS_CRYPTO_ECB_BUFFER_SIZE 12U +#define FCS_CRYPTO_CBC_CTR_BUFFER_SIZE 28U +#define FCS_CRYPTO_BLOCK_MODE_MASK 0x07 +#define FCS_CRYPTO_ECB_MODE 0x00 +#define FCS_CRYPTO_CBC_MODE 0x01 +#define FCS_CRYPTO_CTR_MODE 0x02 + /* FCS Payload Structure */ typedef struct fcs_rng_payload_t { uint32_t session_id; diff --git a/plat/intel/soc/common/sip/socfpga_sip_fcs.c b/plat/intel/soc/common/sip/socfpga_sip_fcs.c index facee0fbd..5f6f5decf 100644 --- a/plat/intel/soc/common/sip/socfpga_sip_fcs.c +++ b/plat/intel/soc/common/sip/socfpga_sip_fcs.c @@ -1620,6 +1620,29 @@ int intel_fcs_aes_crypt_init(uint32_t session_id, uint32_t context_id, uint32_t key_id, uint64_t param_addr, uint32_t param_size, uint32_t *mbox_error) { + /* ptr to get param_addr value */ + uint64_t *param_addr_ptr; + + param_addr_ptr = (uint64_t *) param_addr; + + /* + * Since crypto param size vary between mode. + * Check ECB here and limit to size 12 bytes + */ + if (((*param_addr_ptr & FCS_CRYPTO_BLOCK_MODE_MASK) == FCS_CRYPTO_ECB_MODE) && + (param_size > FCS_CRYPTO_ECB_BUFFER_SIZE)) { + return INTEL_SIP_SMC_STATUS_REJECTED; + } + /* + * Since crypto param size vary between mode. + * Check CBC/CTR here and limit to size 28 bytes + */ + if ((((*param_addr_ptr & FCS_CRYPTO_BLOCK_MODE_MASK) == FCS_CRYPTO_CBC_MODE) || + ((*param_addr_ptr & FCS_CRYPTO_BLOCK_MODE_MASK) == FCS_CRYPTO_CTR_MODE)) && + (param_size > FCS_CRYPTO_CBC_CTR_BUFFER_SIZE)) { + return INTEL_SIP_SMC_STATUS_REJECTED; + } + if (mbox_error == NULL) { return INTEL_SIP_SMC_STATUS_REJECTED; } |