nvmem_vars: Make sure tuple structure is within bounds

The code uses a 0-byte to mark the end of the nvmem variables
(which corresponds to tuple->key_len), check for that explicitly,
then check if struct tuple fits within the nvmem.

BRANCH=none
BUG=chromium:854924
TEST=make TEST_ASAN=y run-nvmem_vars -j

Change-Id: I7a974c64dec26c72de955f673d69a0712b023cb2
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1109616
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>

1 files changed, 9 insertions, 4 deletions

diff --git a/common/nvmem_vars.c b/common/nvmem_vars.c
index 78b2d146c5..746c47d1d7 100644
--- a/common/nvmem_vars.c
+++ b/common/nvmem_vars.c
@@ -171,18 +171,23 @@ int initvars(void)
 		return rv;
 
 	for (i = len = 0; /* FOREVER */ 1; i += len) {
+		/* Zero byte (i.e. key_len == 0) indicates end of tuples. */
+		if (rbuf[i] == 0)
+			break;
+
 		tuple = (struct tuple *)(rbuf + i);
+		len = sizeof(struct tuple);
 
-		/* Zero key_len indicates end of tuples, we're done */
-		if (!tuple->key_len)
-			break;
+		/* Make sure the tuple struct is within bounds. */
+		if (i + len > CONFIG_FLASH_NVMEM_VARS_USER_SIZE)
+			goto fixit;
 
 		/* Empty values are not allowed */
 		if (!tuple->val_len)
 			goto fixit;
 
 		/* See how big the tuple is */
-		len = sizeof(struct tuple) + tuple->key_len + tuple->val_len;
+		len += tuple->key_len + tuple->val_len;
 
 		/* Oops, it's off the end (leave one byte for final 0) */
 		if (i + len >= CONFIG_FLASH_NVMEM_VARS_USER_SIZE)