firmware: google: check if size is valid when decoding VPD data

author Hung-Te Lin <hungte@chromium.org>

Fri, 30 Aug 2019 02:23:58 +0000 (10:23 +0800)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Wed, 4 Sep 2019 11:31:28 +0000 (13:31 +0200)
author Hung-Te Lin <hungte@chromium.org>
Fri, 30 Aug 2019 02:23:58 +0000 (10:23 +0800)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 4 Sep 2019 11:31:28 +0000 (13:31 +0200)
diff --git a/drivers/firmware/google/vpd.c b/drivers/firmware/google/vpd.c

index 0739f3b70347bb6ad340c216f3e5515f726ddd33..db0812263d462309193837dc022a538cee7ff98f 100644 (file)
--- a/drivers/firmware/google/vpd.c
+++ b/drivers/firmware/google/vpd.c
@@ -92,8 +92,8 @@ static int vpd_section_check_key_name(const u8 *key, s32 key_len)
         return VPD_OK;
  }
  
-static int vpd_section_attrib_add(const u8 *key, s32 key_len,
-                                 const u8 *value, s32 value_len,
+static int vpd_section_attrib_add(const u8 *key, u32 key_len,
+                                 const u8 *value, u32 value_len,
                                   void *arg)
  {
         int ret;
diff --git a/drivers/firmware/google/vpd_decode.c b/drivers/firmware/google/vpd_decode.c

index 92e3258552fcafefc93c30ccf155a7043d40b92e..dda525c0f968271ad576381d103ad2c54d945a65 100644 (file)
--- a/drivers/firmware/google/vpd_decode.c
+++ b/drivers/firmware/google/vpd_decode.c
@@ -9,8 +9,8 @@
  
  #include "vpd_decode.h"
  
-static int vpd_decode_len(const s32 max_len, const u8 *in,
-                         s32 *length, s32 *decoded_len)
+static int vpd_decode_len(const u32 max_len, const u8 *in,
+                         u32 *length, u32 *decoded_len)
  {
         u8 more;
         int i = 0;
@@ -30,18 +30,39 @@ static int vpd_decode_len(const s32 max_len, const u8 *in,
         } while (more);
  
         *decoded_len = i;
+       return VPD_OK;
+}
+
+static int vpd_decode_entry(const u32 max_len, const u8 *input_buf,
+                           u32 *_consumed, const u8 **entry, u32 *entry_len)
+{
+       u32 decoded_len;
+       u32 consumed = *_consumed;
+
+       if (vpd_decode_len(max_len - consumed, &input_buf[consumed],
+                          entry_len, &decoded_len) != VPD_OK)
+               return VPD_FAIL;
+       if (max_len - consumed < decoded_len)
+               return VPD_FAIL;
+
+       consumed += decoded_len;
+       *entry = input_buf + consumed;
+
+       /* entry_len is untrusted data and must be checked again. */
+       if (max_len - consumed < *entry_len)
+               return VPD_FAIL;
  
+       consumed += decoded_len;
+       *_consumed = consumed;
         return VPD_OK;
  }
  
-int vpd_decode_string(const s32 max_len, const u8 *input_buf, s32 *consumed,
+int vpd_decode_string(const u32 max_len, const u8 *input_buf, u32 *consumed,
                       vpd_decode_callback callback, void *callback_arg)
  {
         int type;
-       int res;
-       s32 key_len;
-       s32 value_len;
-       s32 decoded_len;
+       u32 key_len;
+       u32 value_len;
         const u8 *key;
         const u8 *value;
  
@@ -56,26 +77,14 @@ int vpd_decode_string(const s32 max_len, const u8 *input_buf, s32 *consumed,
         case VPD_TYPE_STRING:
                 (*consumed)++;
  
-               /* key */
-               res = vpd_decode_len(max_len - *consumed, &input_buf[*consumed],
-                                    &key_len, &decoded_len);
-               if (res != VPD_OK || *consumed + decoded_len >= max_len)
+               if (vpd_decode_entry(max_len, input_buf, consumed, &key,
+                                    &key_len) != VPD_OK)
                         return VPD_FAIL;
  
-               *consumed += decoded_len;
-               key = &input_buf[*consumed];
-               *consumed += key_len;
-
-               /* value */
-               res = vpd_decode_len(max_len - *consumed, &input_buf[*consumed],
-                                    &value_len, &decoded_len);
-               if (res != VPD_OK || *consumed + decoded_len > max_len)
+               if (vpd_decode_entry(max_len, input_buf, consumed, &value,
+                                    &value_len) != VPD_OK)
                         return VPD_FAIL;
  
-               *consumed += decoded_len;
-               value = &input_buf[*consumed];
-               *consumed += value_len;
-
                 if (type == VPD_TYPE_STRING)
                         return callback(key, key_len, value, value_len,
                                         callback_arg);
diff --git a/drivers/firmware/google/vpd_decode.h b/drivers/firmware/google/vpd_decode.h

index cf8c2ace155a11e1d12d1d5b9981b47b6b167325..8dbe41cac599b14b094a37d409a4a9c8d3660816 100644 (file)
--- a/drivers/firmware/google/vpd_decode.h
+++ b/drivers/firmware/google/vpd_decode.h
@@ -25,8 +25,8 @@ enum {
  };
  
  /* Callback for vpd_decode_string to invoke. */
-typedef int vpd_decode_callback(const u8 *key, s32 key_len,
-                               const u8 *value, s32 value_len,
+typedef int vpd_decode_callback(const u8 *key, u32 key_len,
+                               const u8 *value, u32 value_len,
                                 void *arg);
  
  /*
@@ -44,7 +44,7 @@ typedef int vpd_decode_callback(const u8 *key, s32 key_len,
   * If one entry is successfully decoded, sends it to callback and returns the
   * result.
   */
-int vpd_decode_string(const s32 max_len, const u8 *input_buf, s32 *consumed,
+int vpd_decode_string(const u32 max_len, const u8 *input_buf, u32 *consumed,
                       vpd_decode_callback callback, void *callback_arg);
  
  #endif  /* __VPD_DECODE_H */
author	Hung-Te Lin <hungte@chromium.org>
	Fri, 30 Aug 2019 02:23:58 +0000 (10:23 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 4 Sep 2019 11:31:28 +0000 (13:31 +0200)
drivers/firmware/google/vpd.c		patch \| blob \| blame \| history
drivers/firmware/google/vpd_decode.c		patch \| blob \| blame \| history
drivers/firmware/google/vpd_decode.h		patch \| blob \| blame \| history