fix(intel): update checking for memcpy and memset Add checking on the size of source data does not exceed source size when using memcpy and memset. Add checking on the size of source data in FPGA Crypto Service does not exceed the maximum of expected data size and does not meet the minimum of expected data size. Signed-off-by: Phui Kei Wong <phui.kei.wong@intel.com> Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com> Change-Id: Idb18f05c18d9142fbe703c3f4075341d179d8bad

commit: 581ad47837a6997ccb8d9987e8ae9edd1a0e156a [log] [tgz]
author: Jit Loon Lim <jit.loon.lim@intel.com> Wed May 17 12:26:11 2023 +0800
committer: Jit Loon Lim <jit.loon.lim@intel.com> Tue May 23 21:09:01 2023 +0800
tree: f12d36c6b90cfb82d0a9796af62f49ddca446325
parent: 151b396a1565a6d248c214ee3f63d6ec611a4018 [diff]
diff --git a/plat/intel/soc/common/include/socfpga_fcs.h b/plat/intel/soc/common/include/socfpga_fcs.h
index 8a8f348..6bb70e0 100644
--- a/plat/intel/soc/common/include/socfpga_fcs.h
+++ b/plat/intel/soc/common/include/socfpga_fcs.h

@@ -72,6 +72,9 @@
 #define FCS_AES_MIN_DATA_SIZE					0x20		/* 32 Byte */
 #define FCS_AES_CMD_MAX_WORD_SIZE				15U
 
+#define FCS_MAX_DATA_SIZE					0x20000000	/* 512 MB */
+#define FCS_MIN_DATA_SIZE					0x8	/* 8 Bytes */
+
 #define FCS_GET_DIGEST_CMD_MAX_WORD_SIZE			7U
 #define FCS_GET_DIGEST_RESP_MAX_WORD_SIZE			19U
 #define FCS_MAC_VERIFY_CMD_MAX_WORD_SIZE			23U

diff --git a/plat/intel/soc/common/sip/socfpga_sip_fcs.c b/plat/intel/soc/common/sip/socfpga_sip_fcs.c
index d99026b..beaa720 100644
--- a/plat/intel/soc/common/sip/socfpga_sip_fcs.c
+++ b/plat/intel/soc/common/sip/socfpga_sip_fcs.c

@@ -1073,6 +1073,7 @@
 	uint32_t resp_len;
 	uint32_t payload[FCS_MAC_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
 	uintptr_t mac_offset;
+	uint32_t dst_size_check = 0;
 
 	if (dst_size == NULL || mbox_error == NULL) {
 		return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -1097,6 +1098,14 @@
 		return INTEL_SIP_SMC_STATUS_REJECTED;
 	}
 
+	dst_size_check = *dst_size;
+	if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+		dst_size_check < FCS_MIN_DATA_SIZE) ||
+		(src_size > FCS_MAX_DATA_SIZE ||
+		src_size < FCS_MIN_DATA_SIZE)) {
+		return INTEL_SIP_SMC_STATUS_REJECTED;
+	}
+
 	resp_len = *dst_size / MBOX_WORD_BYTE;
 
 	/* Prepare crypto header */
@@ -1149,6 +1158,12 @@
 		FCS_CS_FIELD_FLAG_FINALIZE) {
 		/* Copy mac data to command */
 		mac_offset = src_addr + data_size;
+
+		if ((i + ((src_size - data_size) / MBOX_WORD_BYTE)) >
+			FCS_MAC_VERIFY_CMD_MAX_WORD_SIZE) {
+			return INTEL_SIP_SMC_STATUS_REJECTED;
+		}
+
 		memcpy((uint8_t *) &payload[i], (uint8_t *) mac_offset,
 		src_size - data_size);
 
@@ -1189,7 +1204,7 @@
 	uint32_t resp_len;
 	uint32_t payload[FCS_MAC_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
 	uintptr_t mac_offset;
-
+	uint32_t dst_size_check = 0;
 	/*
 	 * Source data must be 4 bytes aligned
 	 * User data must be 8 bytes aligned
@@ -1214,6 +1229,14 @@
 		return INTEL_SIP_SMC_STATUS_REJECTED;
 	}
 
+	dst_size_check = *dst_size;
+	if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+		dst_size_check < FCS_MIN_DATA_SIZE) ||
+		(src_size > FCS_MAX_DATA_SIZE ||
+		src_size < FCS_MIN_DATA_SIZE)) {
+		return INTEL_SIP_SMC_STATUS_REJECTED;
+	}
+
 	resp_len = *dst_size / MBOX_WORD_BYTE;
 
 	/* Prepare crypto header */
@@ -1269,6 +1292,12 @@
 		 * mac_offset = MAC data
 		 */
 		mac_offset = dst_addr;
+
+		if ((i + ((src_size - data_size) / MBOX_WORD_BYTE)) >
+			FCS_MAC_VERIFY_CMD_MAX_WORD_SIZE) {
+			return INTEL_SIP_SMC_STATUS_REJECTED;
+		}
+
 		memcpy((uint8_t *) &payload[i], (uint8_t *) mac_offset,
 		src_size - data_size);
 
@@ -1316,6 +1345,7 @@
 	uint32_t payload[FCS_ECDSA_HASH_SIGN_CMD_MAX_WORD_SIZE] = {0U};
 	uint32_t resp_len;
 	uintptr_t hash_data_addr;
+	uint32_t dst_size_check = 0;
 
 	if ((dst_size == NULL) || (mbox_error == NULL)) {
 		return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -1331,6 +1361,14 @@
 		return INTEL_SIP_SMC_STATUS_REJECTED;
 	}
 
+	dst_size_check = *dst_size;
+	if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+		dst_size_check < FCS_MIN_DATA_SIZE) ||
+		(src_size > FCS_MAX_DATA_SIZE ||
+		src_size < FCS_MIN_DATA_SIZE)) {
+		return INTEL_SIP_SMC_STATUS_REJECTED;
+	}
+
 	resp_len = *dst_size / MBOX_WORD_BYTE;
 
 	/* Prepare command payload */
@@ -1357,6 +1395,12 @@
 	/* Hash Data */
 	i++;
 	hash_data_addr = src_addr;
+
+	if ((i + ((src_size) / MBOX_WORD_BYTE)) >
+		FCS_ECDSA_HASH_SIGN_CMD_MAX_WORD_SIZE) {
+		return INTEL_SIP_SMC_STATUS_REJECTED;
+	}
+
 	memcpy((uint8_t *) &payload[i], (uint8_t *) hash_data_addr,
 			src_size);
 
@@ -1400,6 +1444,7 @@
 	uint32_t payload[FCS_ECDSA_HASH_SIG_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
 	uint32_t resp_len;
 	uintptr_t hash_sig_pubkey_addr;
+	uint32_t dst_size_check = 0;
 
 	if ((dst_size == NULL) || (mbox_error == NULL)) {
 		return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -1415,6 +1460,14 @@
 		return INTEL_SIP_SMC_STATUS_REJECTED;
 	}
 
+	dst_size_check = *dst_size;
+	if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+		dst_size_check < FCS_MIN_DATA_SIZE) ||
+		(src_size > FCS_MAX_DATA_SIZE ||
+		src_size < FCS_MIN_DATA_SIZE)) {
+		return INTEL_SIP_SMC_STATUS_REJECTED;
+	}
+
 	resp_len = *dst_size / MBOX_WORD_BYTE;
 
 	/* Prepare command payload */
@@ -1443,6 +1496,12 @@
 	/* Hash Data Word, Signature Data Word and Public Key Data word */
 	i++;
 	hash_sig_pubkey_addr = src_addr;
+
+	if ((i + ((src_size) / MBOX_WORD_BYTE)) >
+		FCS_ECDSA_HASH_SIG_VERIFY_CMD_MAX_WORD_SIZE) {
+		return INTEL_SIP_SMC_STATUS_REJECTED;
+	}
+
 	memcpy((uint8_t *) &payload[i],
 			(uint8_t *) hash_sig_pubkey_addr, src_size);
 
@@ -1690,6 +1749,7 @@
 	uint32_t payload[FCS_ECDSA_SHA2_DATA_SIG_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
 	uint32_t resp_len;
 	uintptr_t sig_pubkey_offset;
+	uint32_t dst_size_check = 0;
 
 	if ((dst_size == NULL) || (mbox_error == NULL)) {
 		return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -1700,6 +1760,10 @@
 		return INTEL_SIP_SMC_STATUS_REJECTED;
 	}
 
+	if (data_size > src_size) {
+		return INTEL_SIP_SMC_STATUS_REJECTED;
+	}
+
 	if (!is_size_4_bytes_aligned(src_size)) {
 		return INTEL_SIP_SMC_STATUS_REJECTED;
 	}
@@ -1714,6 +1778,14 @@
 		return INTEL_SIP_SMC_STATUS_REJECTED;
 	}
 
+	dst_size_check = *dst_size;
+	if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+		dst_size_check < FCS_MIN_DATA_SIZE) ||
+		(src_size > FCS_MAX_DATA_SIZE ||
+		src_size < FCS_MIN_DATA_SIZE)) {
+		return INTEL_SIP_SMC_STATUS_REJECTED;
+	}
+
 	resp_len = *dst_size / MBOX_WORD_BYTE;
 
 	/* Prepare crypto header */
@@ -1761,6 +1833,12 @@
 		FCS_CS_FIELD_FLAG_FINALIZE) {
 		/* Signature + Public Key Data */
 		sig_pubkey_offset = src_addr + data_size;
+
+		if ((i + ((src_size - data_size) / MBOX_WORD_BYTE)) >
+			FCS_ECDSA_SHA2_DATA_SIG_VERIFY_CMD_MAX_WORD_SIZE) {
+			return INTEL_SIP_SMC_STATUS_REJECTED;
+		}
+
 		memcpy((uint8_t *) &payload[i], (uint8_t *) sig_pubkey_offset,
 			src_size - data_size);
 
@@ -1801,6 +1879,7 @@
 	uint32_t payload[FCS_ECDSA_SHA2_DATA_SIG_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
 	uint32_t resp_len;
 	uintptr_t sig_pubkey_offset;
+	uint32_t dst_size_check = 0;
 
 	/*
 	 * Source data must be 4 bytes aligned
@@ -1819,11 +1898,23 @@
 		return INTEL_SIP_SMC_STATUS_REJECTED;
 	}
 
+	if (data_size > src_size) {
+		return INTEL_SIP_SMC_STATUS_REJECTED;
+	}
+
 	if (!is_address_in_ddr_range(src_addr, src_size) ||
 		!is_address_in_ddr_range(dst_addr, *dst_size)) {
 		return INTEL_SIP_SMC_STATUS_REJECTED;
 	}
 
+	dst_size_check = *dst_size;
+	if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+		dst_size_check < FCS_MIN_DATA_SIZE) ||
+		(src_size > FCS_MAX_DATA_SIZE ||
+		src_size < FCS_MIN_DATA_SIZE)) {
+		return INTEL_SIP_SMC_STATUS_REJECTED;
+	}
+
 	resp_len = *dst_size / MBOX_WORD_BYTE;
 
 	/* Prepare crypto header */
@@ -1874,6 +1965,12 @@
 		 * sig_pubkey_offset is Signature + Public Key Data
 		 */
 		sig_pubkey_offset = dst_addr;
+
+		if ((i + ((src_size - data_size) / MBOX_WORD_BYTE)) >
+			FCS_ECDSA_SHA2_DATA_SIG_VERIFY_CMD_MAX_WORD_SIZE) {
+			return INTEL_SIP_SMC_STATUS_REJECTED;
+		}
+
 		memcpy((uint8_t *) &payload[i], (uint8_t *) sig_pubkey_offset,
 			src_size - data_size);
 
@@ -1990,11 +2087,13 @@
 	uint32_t payload[FCS_ECDH_REQUEST_CMD_MAX_WORD_SIZE] = {0U};
 	uint32_t resp_len;
 	uintptr_t pubkey;
+	uint32_t dst_size_check = 0;
 
 	if ((dst_size == NULL) || (mbox_error == NULL)) {
 		return INTEL_SIP_SMC_STATUS_REJECTED;
 	}
 
+
 	if (fcs_ecdh_request_param.session_id != session_id ||
 		fcs_ecdh_request_param.context_id != context_id) {
 		return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -2005,6 +2104,14 @@
 		return INTEL_SIP_SMC_STATUS_REJECTED;
 	}
 
+	dst_size_check = *dst_size;
+	if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+		dst_size_check < FCS_MIN_DATA_SIZE) ||
+		(src_size > FCS_MAX_DATA_SIZE ||
+		src_size < FCS_MIN_DATA_SIZE)) {
+		return INTEL_SIP_SMC_STATUS_REJECTED;
+	}
+
 	resp_len = *dst_size / MBOX_WORD_BYTE;
 
 	/* Prepare command payload */
@@ -2028,6 +2135,12 @@
 	i++;
 	/* Public key data */
 	pubkey = src_addr;
+
+	if ((i + ((src_size) / MBOX_WORD_BYTE)) >
+		FCS_ECDH_REQUEST_CMD_MAX_WORD_SIZE) {
+		return INTEL_SIP_SMC_STATUS_REJECTED;
+	}
+
 	memcpy((uint8_t *) &payload[i], (uint8_t *) pubkey, src_size);
 	i += src_size / MBOX_WORD_BYTE;
 
@@ -2162,6 +2275,11 @@
 		fcs_aes_crypt_payload[i] = fcs_aes_init_payload.key_id;
 		i++;
 
+		if ((i + ((fcs_aes_init_payload.param_size) / MBOX_WORD_BYTE)) >
+			FCS_AES_CMD_MAX_WORD_SIZE) {
+			return INTEL_SIP_SMC_STATUS_REJECTED;
+		}
+
 		memcpy((uint8_t *) &fcs_aes_crypt_payload[i],
 			(uint8_t *) fcs_aes_init_payload.crypto_param,
 			fcs_aes_init_payload.param_size);

diff --git a/plat/intel/soc/common/soc/socfpga_handoff.c b/plat/intel/soc/common/soc/socfpga_handoff.c
index 4bb3a96..a3146b4 100644
--- a/plat/intel/soc/common/soc/socfpga_handoff.c
+++ b/plat/intel/soc/common/soc/socfpga_handoff.c

@@ -4,6 +4,7 @@
  * SPDX-License-Identifier: BSD-3-Clause
  */
 
+#include <errno.h>
 #include <string.h>
 
 #include "socfpga_handoff.h"
@@ -17,6 +18,10 @@
 	uint32_t *buffer;
 	handoff *handoff_ptr = (handoff *) PLAT_HANDOFF_OFFSET;
 
+	if (sizeof(*handoff_ptr) > sizeof(handoff)) {
+		return -EOVERFLOW;
+	}
+
 	memcpy(reverse_hoff_ptr, handoff_ptr, sizeof(handoff));
 	buffer = (uint32_t *)reverse_hoff_ptr;
 

diff --git a/plat/intel/soc/common/soc/socfpga_mailbox.c b/plat/intel/soc/common/soc/socfpga_mailbox.c
index 7010d81..4a9f676 100644
--- a/plat/intel/soc/common/soc/socfpga_mailbox.c
+++ b/plat/intel/soc/common/soc/socfpga_mailbox.c

@@ -183,6 +183,7 @@
 	uint32_t resp_data;
 	uint32_t ret_resp_len = 0;
 	uint8_t is_done = 0;
+	uint32_t resp_len_check = 0;
 
 	if ((mailbox_resp_ctr.flag & MBOX_PAYLOAD_FLAG_BUSY) != 0) {
 		ret_resp_len = MBOX_RESP_LEN(
@@ -242,6 +243,12 @@
 				*resp_len = ret_resp_len;
 			}
 
+			resp_len_check = (uint32_t) *resp_len;
+
+			if (resp_len_check > MBOX_DATA_MAX_LEN) {
+				return MBOX_RET_ERROR;
+			}
+
 			memcpy((uint8_t *) response,
 				(uint8_t *) mailbox_resp_ctr.payload->data,
 				*resp_len * MBOX_WORD_BYTE);

diff --git a/plat/intel/soc/common/socfpga_sip_svc.c b/plat/intel/soc/common/socfpga_sip_svc.c
index 79f743f..3aa5d6e 100644
--- a/plat/intel/soc/common/socfpga_sip_svc.c
+++ b/plat/intel/soc/common/socfpga_sip_svc.c

@@ -443,6 +443,10 @@
 
 static uint32_t intel_rsu_update(uint64_t update_address)
 {
+	if (update_address > SIZE_MAX) {
+		return INTEL_SIP_SMC_STATUS_REJECTED;
+	}
+
 	intel_rsu_update_address = update_address;
 	return INTEL_SIP_SMC_STATUS_OK;
 }
commit	581ad47837a6997ccb8d9987e8ae9edd1a0e156a	[log] [tgz]
author	Jit Loon Lim <jit.loon.lim@intel.com>	Wed May 17 12:26:11 2023 +0800
committer	Jit Loon Lim <jit.loon.lim@intel.com>	Tue May 23 21:09:01 2023 +0800
tree	f12d36c6b90cfb82d0a9796af62f49ddca446325
parent	151b396a1565a6d248c214ee3f63d6ec611a4018 [diff]