diff options
| author | Joel Kitching <kitching@google.com> | 2019-11-23 16:56:01 +0800 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2019-12-03 02:42:26 +0000 |
| commit | 5329c24701edf83112297bf56d202b9f7f0a5224 (patch) | |
| tree | 7a981914d5a1a5f11f34747cb30ac3d38754a70b | |
| parent | f479e44e0be7b4108c08c3d6fe1187fff90a0247 (diff) | |
| download | vboot-5329c24701edf83112297bf56d202b9f7f0a5224.tar.gz | |
vboot: fix workbuf_used value after storing GBB header
After storing the GBB header on the workbuf, the offset of wb.buf
is stored into workbuf_used by incorrectly using ctx as the
pointer base, rather than sd (which corresponds to the start of
the workbuf). This subtracts 8 bytes from the correct value of
workbuf_used, and leaves the last 8 bytes of the GBB header
vulnerable to being overwritten with any VB2_WORKBUF_ALIGN values
less than 16.
Also update the relevant vb2_misc_tests check to account for
GBB headers with non-aligned sizes (currently it is 128 bytes).
BUG=b:124141368, chromium:1027846
TEST=Test with various VB2_WORKBUF_ALIGN values
BRANCH=none
Change-Id: I862d29155ce08df6911c277f8ce8c703ffaf1df7
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1932276
Tested-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>
(cherry picked from commit 30481361d88718fa6eead75508c552cc70c728dc)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1947347
Reviewed-by: Shelley Chen <shchen@chromium.org>
Commit-Queue: Shelley Chen <shchen@chromium.org>
Tested-by: Shelley Chen <shchen@chromium.org>
| -rw-r--r-- | firmware/2lib/2misc.c | 2 | ||||
| -rw-r--r-- | tests/vb2_misc_tests.c | 6 |
2 files changed, 4 insertions, 4 deletions
diff --git a/firmware/2lib/2misc.c b/firmware/2lib/2misc.c index 3775dcee..92e930a8 100644 --- a/firmware/2lib/2misc.c +++ b/firmware/2lib/2misc.c @@ -178,7 +178,7 @@ vb2_error_t vb2_fw_init_gbb(struct vb2_context *ctx) /* Keep on the work buffer permanently */ sd->gbb_offset = vb2_offset_of(sd, gbb); - vb2_set_workbuf_used(ctx, vb2_offset_of(ctx, wb.buf)); + vb2_set_workbuf_used(ctx, vb2_offset_of(sd, wb.buf)); /* Set any context flags based on GBB flags */ if (gbb->flags & VB2_GBB_FLAG_DISABLE_FWMP) diff --git a/tests/vb2_misc_tests.c b/tests/vb2_misc_tests.c index 5f2b6c85..38806eaa 100644 --- a/tests/vb2_misc_tests.c +++ b/tests/vb2_misc_tests.c @@ -325,9 +325,9 @@ static void gbb_tests(void) original definition of vb2_get_gbb. */ struct vb2_gbb_header *current_gbb = vb2_member_of(sd, sd->gbb_offset); TEST_SUCC(memcmp(&gbbsrc, current_gbb, sizeof(gbbsrc)), - "copy gbb contents"); - TEST_EQ(used_before, sd->workbuf_used - sizeof(gbbsrc), - "unexpected workbuf size"); + " copy gbb contents"); + TEST_TRUE(sd->workbuf_used - sizeof(gbbsrc) - used_before + < VB2_WORKBUF_ALIGN, " unexpected workbuf size"); /* Workbuf failure */ reset_common_data(); |