From a539c259d42fb63a0a4a3cfab231c83afc652a91 Mon Sep 17 00:00:00 2001 From: Li Feng Date: Thu, 2 Mar 2023 20:31:57 -0800 Subject: HC: check response buffer size before copying data ISH has allocated 128 bytes for HECI response message; 112 bytes can be used to store HC response data. But EC_CMD_GET_VERSION v1 response data has 132 bytes. Copying data without checking buffer size causes buffer overflow. And we observed an issue that HECI client handle is changed by this. The fix is to add size check and return EC_RES_RESPONSE_TOO_BIG on error. CL:4302834 increases ISH buffer size as well; so that host can get version information. BUG=b:271502099 BRANCH=none TEST=on Rex platform with ISH enabled, monitor HECI client handle value is the same all the time. No more "Timed out for response to host message". Change-Id: Ibee2fb6a54d3c7d1d60d90a8f6b20bc89066ff5a Signed-off-by: Li Feng Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/4305920 Reviewed-by: Tanu Malhotra Reviewed-by: Daisuke Nojiri (cherry picked from commit c8234cc5335ad31d27d578d89bab4f2172e4f22a) Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/4359514 Tested-by: Li Feng Commit-Queue: Gwendal Grignou --- common/system.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/system.c b/common/system.c index 2ad2e4310b..ca57e7b6d7 100644 --- a/common/system.c +++ b/common/system.c @@ -1601,6 +1601,9 @@ host_command_get_version(struct host_cmd_handler_args *args) * to zero uninitialized fields here. */ if (args->version > 0 && IS_ENABLED(CONFIG_CROS_FWID_VERSION)) { + if (args->response_max < sizeof(*r)) + return EC_RES_RESPONSE_TOO_BIG; + strzcpy(r->cros_fwid_ro, system_get_cros_fwid(EC_IMAGE_RO), sizeof(r->cros_fwid_ro)); strzcpy(r->cros_fwid_rw, system_get_cros_fwid(EC_IMAGE_RW), -- cgit v1.2.1