vboot: fix workbuf_used value after storing GBB header

After storing the GBB header on the workbuf, the offset of wb.buf
is stored into workbuf_used by incorrectly using ctx as the
pointer base, rather than sd (which corresponds to the start of
the workbuf).  This subtracts 8 bytes from the correct value of
workbuf_used, and leaves the last 8 bytes of the GBB header
vulnerable to being overwritten with any VB2_WORKBUF_ALIGN values
less than 16.

Also update the relevant vb2_misc_tests check to account for
GBB headers with non-aligned sizes (currently it is 128 bytes).

BUG=b:124141368, chromium:1027846
TEST=Test with various VB2_WORKBUF_ALIGN values
BRANCH=none

Change-Id: I862d29155ce08df6911c277f8ce8c703ffaf1df7
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1932276
Tested-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>

1 files changed, 1 insertions, 1 deletions

diff --git a/firmware/2lib/2misc.c b/firmware/2lib/2misc.c
index 3775dcee..92e930a8 100644
--- a/firmware/2lib/2misc.c
+++ b/firmware/2lib/2misc.c
@@ -178,7 +178,7 @@ vb2_error_t vb2_fw_init_gbb(struct vb2_context *ctx)
 
 	/* Keep on the work buffer permanently */
 	sd->gbb_offset = vb2_offset_of(sd, gbb);
-	vb2_set_workbuf_used(ctx, vb2_offset_of(ctx, wb.buf));
+	vb2_set_workbuf_used(ctx, vb2_offset_of(sd, wb.buf));
 
 	/* Set any context flags based on GBB flags */
 	if (gbb->flags & VB2_GBB_FLAG_DISABLE_FWMP)