HC: check response buffer size before copying datastabilize-15359.58.B-mainstabilize-15359.50.B-mainstabilize-15359.45.B-mainrelease-R112-15359.B-main

ISH has allocated 128 bytes for HECI response message; 112 bytes can be
used to store HC response data. But EC_CMD_GET_VERSION v1 response data
has 132 bytes.

Copying data without checking buffer size causes buffer overflow.
And we observed an issue that HECI client handle is changed by this.

The fix is to add size check and return EC_RES_RESPONSE_TOO_BIG on
error.

CL:4302834 increases ISH buffer size as well; so that host can get
version information.

BUG=b:271502099
BRANCH=none
TEST=on Rex platform with ISH enabled, monitor HECI client handle value
is the same all the time.
No more "Timed out for response to host message".

Change-Id: Ibee2fb6a54d3c7d1d60d90a8f6b20bc89066ff5a
Signed-off-by: Li Feng <li1.feng@intel.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/4305920
Reviewed-by: Tanu Malhotra <tanu.malhotra@intel.com>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
(cherry picked from commit c8234cc5335ad31d27d578d89bab4f2172e4f22a)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/4359514
Tested-by: Li Feng <li1.feng@intel.corp-partner.google.com>
Commit-Queue: Gwendal Grignou <gwendal@chromium.org>

1 files changed, 3 insertions, 0 deletions

diff --git a/common/system.c b/common/system.c
index 2ad2e4310b..ca57e7b6d7 100644
--- a/common/system.c
+++ b/common/system.c
@@ -1601,6 +1601,9 @@ host_command_get_version(struct host_cmd_handler_args *args)
 	 * to zero uninitialized fields here.
 	 */
 	if (args->version > 0 && IS_ENABLED(CONFIG_CROS_FWID_VERSION)) {
+		if (args->response_max < sizeof(*r))
+			return EC_RES_RESPONSE_TOO_BIG;
+
 		strzcpy(r->cros_fwid_ro, system_get_cros_fwid(EC_IMAGE_RO),
 			sizeof(r->cros_fwid_ro));
 		strzcpy(r->cros_fwid_rw, system_get_cros_fwid(EC_IMAGE_RW),