diff options
author | nagendra modadugu <ngm@google.com> | 2016-07-15 21:29:54 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2016-07-21 17:32:19 -0700 |
commit | b1c3aa2080f6edefa51c7c0b99c4d6c6b10303d1 (patch) | |
tree | 298b91932707c3dbc1d6fe09658d0bab692e58f7 | |
parent | b6a48a58958f67e479af3805c4a2bfadb1cc8bd3 (diff) | |
download | chrome-ec-b1c3aa2080f6edefa51c7c0b99c4d6c6b10303d1.tar.gz |
CR50: fix uninitialized buffer size in _cpri__SignRSA
The TPM2 wrapper library does not initialize the
size of an output buffer length prior to calling
into cr50/tpm2. This results in arbitrary failures
depending on memory layout.
Force the buffer length unseen, though this should
be fixed in the TPM2 library.
BRANCH=none
BUG=chrome-os-partner:43025,chrome-os-partner:47524
BUG=chrome-os-partner:50115,chrome-os-partner:55260
TEST=test full personalize + cros_ack verify cert flow
TEST=CPCTPM_TC2_2_20_02_03 passes, which was consistently failing
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/360908
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
(cherry picked from commit 635cb7ada25e76e504087916364e2db08a2133ab)
Change-Id: I90e9b4d76986ffa27acc944e48afc2efaadad7cd
Reviewed-on: https://chromium-review.googlesource.com/362116
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
-rw-r--r-- | board/cr50/tpm2/rsa.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/board/cr50/tpm2/rsa.c b/board/cr50/tpm2/rsa.c index f39735db36..6ee310dbce 100644 --- a/board/cr50/tpm2/rsa.c +++ b/board/cr50/tpm2/rsa.c @@ -164,6 +164,8 @@ CRYPT_RESULT _cpri__SignRSA(uint32_t *out_len, uint8_t *out, rsa.d.dmax = key->privateKey->size / sizeof(uint32_t); rsa.d.d = (struct access_helper *) &key->privateKey->buffer; + /* TPM2 wrapper function fails to initialize out_len! */ + *out_len = key->publicKey->size; result = DCRYPTO_rsa_sign(&rsa, out, out_len, in, in_len, padding, hashing); |