|
 |
4ac4b9 |
From 77d4592e3eec9ec2c7932586f41f925b43ecc5ba Mon Sep 17 00:00:00 2001
|
|
|
4ac4b9 |
From: Imran Desai <imran.desai@intel.com>
|
|
|
4ac4b9 |
Date: Sun, 29 Mar 2020 10:22:42 -0700
|
|
|
4ac4b9 |
Subject: [PATCH] tools/tpm2_nvcertify.c: Fix incompatible pointer cast that
|
|
|
4ac4b9 |
may cause memory leak
|
|
|
4ac4b9 |
|
|
|
4ac4b9 |
Pointer "&ctx.size" and "&ctx.offset" points to an object whose effective type is
|
|
|
4ac4b9 |
"unsigned short" (16 bits, unsigned) but is dereferenced as a wider
|
|
|
4ac4b9 |
"unsigned int" (32 bits, unsigned). This may lead to memory corruption.
|
|
|
4ac4b9 |
|
|
|
4ac4b9 |
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
|
|
4ac4b9 |
---
|
|
|
4ac4b9 |
tools/tpm2_nvcertify.c | 17 +++++++++++++++--
|
|
|
4ac4b9 |
1 file changed, 15 insertions(+), 2 deletions(-)
|
|
|
4ac4b9 |
|
|
|
4ac4b9 |
diff --git a/tools/tpm2_nvcertify.c b/tools/tpm2_nvcertify.c
|
|
|
4ac4b9 |
index b49f38dbff20..414cbea85574 100644
|
|
|
4ac4b9 |
--- a/tools/tpm2_nvcertify.c
|
|
|
4ac4b9 |
+++ b/tools/tpm2_nvcertify.c
|
|
|
4ac4b9 |
@@ -80,6 +80,7 @@ static bool set_signature_format(char *value) {
|
|
|
4ac4b9 |
static bool on_option(char key, char *value) {
|
|
|
4ac4b9 |
|
|
|
4ac4b9 |
bool result = true;
|
|
|
4ac4b9 |
+ uint32_t input_value;
|
|
|
4ac4b9 |
|
|
|
4ac4b9 |
switch (key) {
|
|
|
4ac4b9 |
case 'C':
|
|
|
4ac4b9 |
@@ -110,18 +111,30 @@ static bool on_option(char key, char *value) {
|
|
|
4ac4b9 |
ctx.policy_qualifier_arg = value;
|
|
|
4ac4b9 |
break;
|
|
|
4ac4b9 |
case 0:
|
|
|
4ac4b9 |
- result = tpm2_util_string_to_uint32(value, (uint32_t*)&ctx.size);
|
|
|
4ac4b9 |
+ result = tpm2_util_string_to_uint32(value, &input_value);
|
|
|
4ac4b9 |
if (!result) {
|
|
|
4ac4b9 |
LOG_ERR("Could not convert size to number, got: \"%s\"", value);
|
|
|
4ac4b9 |
return false;
|
|
|
4ac4b9 |
}
|
|
|
4ac4b9 |
+ if (input_value > UINT16_MAX) {
|
|
|
4ac4b9 |
+ LOG_ERR("Specified size is larger than that allowed by command");
|
|
|
4ac4b9 |
+ return false;
|
|
|
4ac4b9 |
+ } else {
|
|
|
4ac4b9 |
+ ctx.size = input_value;
|
|
|
4ac4b9 |
+ }
|
|
|
4ac4b9 |
break;
|
|
|
4ac4b9 |
case 1:
|
|
|
4ac4b9 |
- result = tpm2_util_string_to_uint32(value, (uint32_t*)&ctx.offset);
|
|
|
4ac4b9 |
+ result = tpm2_util_string_to_uint32(value, &input_value);
|
|
|
4ac4b9 |
if (!result) {
|
|
|
4ac4b9 |
LOG_ERR("Could not convert offset to number, got: \"%s\"", value);
|
|
|
4ac4b9 |
return false;
|
|
|
4ac4b9 |
}
|
|
|
4ac4b9 |
+ if (input_value > UINT16_MAX) {
|
|
|
4ac4b9 |
+ LOG_ERR("Specified offset is larger than that allowed by command");
|
|
|
4ac4b9 |
+ return false;
|
|
|
4ac4b9 |
+ } else {
|
|
|
4ac4b9 |
+ ctx.offset = input_value;
|
|
|
4ac4b9 |
+ }
|
|
|
4ac4b9 |
break;
|
|
|
4ac4b9 |
case 2:
|
|
|
4ac4b9 |
ctx.certify_info_path = value;
|
|
|
4ac4b9 |
--
|
|
|
4ac4b9 |
2.31.0
|
|
|
4ac4b9 |
|