diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2017-09-13 09:20:30 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2017-09-26 16:14:05 -0700 |
| commit | ea36e7d59b9bd05f65d85518ec611e1904ac6f2b (patch) | |
| tree | eddd6231c348d1c2dd5f380816d12de49c53f1f6 /board | |
| parent | 3fe117d346e2a23d316cbdf038f95ccb62ac4565 (diff) | |
| download | chrome-ec-ea36e7d59b9bd05f65d85518ec611e1904ac6f2b.tar.gz | |
cr50: fix hash test code memory management
The hash test code memory management is somewhat loose: it does not
clean up allocated buffer, but then uses it to check for presence of
the previously created handles, which can result in false positives.
Let's zero the buffer each time it is allocated and let's use
hash_test_db.contexts as the indicator if the buffer is allocated or
not.
BRANCH=cr50
BUG=none
TEST=ran ./test/tpm_test/tpmtest.py, observed rsa tests pass.
Change-Id: Iad4b4e2662fc7266ee6f556f6ddfd0051e7172d7
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/665321
Reviewed-by: Shawn N <shawnn@chromium.org>
Diffstat (limited to 'board')
| -rw-r--r-- | board/cr50/tpm2/hash.c | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/board/cr50/tpm2/hash.c b/board/cr50/tpm2/hash.c index cb52526831..157100fd96 100644 --- a/board/cr50/tpm2/hash.c +++ b/board/cr50/tpm2/hash.c @@ -190,17 +190,28 @@ static void process_start(TPM_ALG_ID alg, int handle, void *response_body, } if (!hash_test_db.max_contexts) { + size_t buffer_size; + /* Check how many contexts could possible fit. */ hash_test_db.max_contexts = shared_mem_size() / sizeof(struct test_context); - } - if (!hash_test_db.contexts) - shared_mem_acquire(shared_mem_size(), - (char **)&hash_test_db.contexts); + buffer_size = sizeof(struct test_context) * + hash_test_db.max_contexts; + + if (shared_mem_acquire(buffer_size, + (char **)&hash_test_db.contexts) != + EC_SUCCESS) { + /* Must be out of memory. */ + hash_test_db.max_contexts = 0; + *response = EXC_HASH_TOO_MANY_HANDLES; + *response_size = 1; + return; + } + memset(hash_test_db.contexts, 0, buffer_size); + } - if (!hash_test_db.contexts || - (hash_test_db.current_context_count == hash_test_db.max_contexts)) { + if (hash_test_db.current_context_count == hash_test_db.max_contexts) { *response = EXC_HASH_TOO_MANY_HANDLES; *response_size = 1; return; @@ -246,6 +257,7 @@ static void process_finish(int handle, void *response_body, hash_test_db.current_context_count--; if (!hash_test_db.current_context_count) { shared_mem_release(hash_test_db.contexts); + hash_test_db.max_contexts = 0; return; } |