Philipp Deppenwiese submitted this change.

View Change

Approvals: build bot (Jenkins): Verified Kyösti Mälkki: Looks good to me, approved Philipp Deppenwiese: Looks good to me, approved Julius Werner: Looks good to me, approved 
security/tpm: Use correct hash digest lengths

TPMU_HA is a union of all the different hash digests, and so
sizeof(TPMU_HA) evaluates to 64 (the size of the largest one). This will
lead to out-of-bounds writes when copying smaller digests, so use the
specific digest size for each algorithm.

Change-Id: Ic9101f157d5a19836b200ecd99f060de552498d2
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Found-by: Coverity CID 14049{49,50,51,52,53,54,55,56,57,58,60,61,62}
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35287
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
---
M src/security/tpm/tspi/tspi.c
M src/security/tpm/tss/tcg-2.0/tss.c
2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c
index 4cf3711..e64e04f 100644
--- a/src/security/tpm/tspi/tspi.c
+++ b/src/security/tpm/tspi/tspi.c
@@ -219,12 +219,12 @@
 	case VB2_HASH_SHA1:
 		tpml_digests.digests[0].hashAlg = TPM_ALG_SHA1;
 		memcpy(tpml_digests.digests[0].digest.sha1,
-		       digest, sizeof(TPMU_HA));
+		       digest, SHA1_DIGEST_SIZE);
 		break;
 	case VB2_HASH_SHA256:
 		tpml_digests.digests[0].hashAlg = TPM_ALG_SHA256;
 		memcpy(tpml_digests.digests[0].digest.sha256,
-		       digest, sizeof(TPMU_HA));
+		       digest, SHA256_DIGEST_SIZE);
 		break;
 	default:
 		return TPM_E_IOERROR;
diff --git a/src/security/tpm/tss/tcg-2.0/tss.c b/src/security/tpm/tss/tcg-2.0/tss.c
index fab334f..d9deba5 100644
--- a/src/security/tpm/tss/tcg-2.0/tss.c
+++ b/src/security/tpm/tss/tcg-2.0/tss.c
@@ -148,27 +148,27 @@
 		case TPM_ALG_SHA1:
 			memcpy(pcr_ext_cmd.digests.digests[i].digest.sha1,
 			       tpml_digests->digests[i].digest.sha1,
-			       sizeof(TPMU_HA));
+			       SHA1_DIGEST_SIZE);
 			break;
 		case TPM_ALG_SHA256:
 			memcpy(pcr_ext_cmd.digests.digests[i].digest.sha256,
 			       tpml_digests->digests[i].digest.sha256,
-			       sizeof(TPMU_HA));
+			       SHA256_DIGEST_SIZE);
 			break;
 		case TPM_ALG_SHA384:
 			memcpy(pcr_ext_cmd.digests.digests[i].digest.sha384,
 			       tpml_digests->digests[i].digest.sha384,
-			       sizeof(TPMU_HA));
+			       SHA384_DIGEST_SIZE);
 			break;
 		case TPM_ALG_SHA512:
 			memcpy(pcr_ext_cmd.digests.digests[i].digest.sha512,
 			       tpml_digests->digests[i].digest.sha512,
-			       sizeof(TPMU_HA));
+			       SHA512_DIGEST_SIZE);
 			break;
 		case TPM_ALG_SM3_256:
 			memcpy(pcr_ext_cmd.digests.digests[i].digest.sm3_256,
 			       tpml_digests->digests[i].digest.sm3_256,
-			       sizeof(TPMU_HA));
+			       SM3_256_DIGEST_SIZE);
 			break;
 		}
 	}

To view, visit change 35287. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Ic9101f157d5a19836b200ecd99f060de552498d2
Gerrit-Change-Number: 35287
Gerrit-PatchSet: 2
Gerrit-Owner: Jacob Garber <jgarber1@ualberta.ca>
Gerrit-Reviewer: David Hendricks <david.hendricks@gmail.com>
Gerrit-Reviewer: Frans Hendriks <fhendriks@eltan.com>
Gerrit-Reviewer: Jacob Garber <jgarber1@ualberta.ca>
Gerrit-Reviewer: Julius Werner <jwerner@chromium.org>
Gerrit-Reviewer: Kyösti Mälkki <kyosti.malkki@gmail.com>
Gerrit-Reviewer: Martin Roth <martinroth@google.com>
Gerrit-Reviewer: Patrick Georgi <pgeorgi@google.com>
Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply@coreboot.org>
Gerrit-MessageType: merged