fix(intel): update checking for memcpy and memset
Add checking on the size of source data does not exceed source size
when using memcpy and memset.
Add checking on the size of source data in FPGA Crypto Service does
not exceed the maximum of expected data size and does not meet the
minimum of expected data size.
Signed-off-by: Phui Kei Wong <phui.kei.wong@intel.com>
Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
Change-Id: Idb18f05c18d9142fbe703c3f4075341d179d8bad
diff --git a/plat/intel/soc/common/sip/socfpga_sip_fcs.c b/plat/intel/soc/common/sip/socfpga_sip_fcs.c
index d99026b..beaa720 100644
--- a/plat/intel/soc/common/sip/socfpga_sip_fcs.c
+++ b/plat/intel/soc/common/sip/socfpga_sip_fcs.c
@@ -1073,6 +1073,7 @@
uint32_t resp_len;
uint32_t payload[FCS_MAC_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
uintptr_t mac_offset;
+ uint32_t dst_size_check = 0;
if (dst_size == NULL || mbox_error == NULL) {
return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -1097,6 +1098,14 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ dst_size_check = *dst_size;
+ if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+ dst_size_check < FCS_MIN_DATA_SIZE) ||
+ (src_size > FCS_MAX_DATA_SIZE ||
+ src_size < FCS_MIN_DATA_SIZE)) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
resp_len = *dst_size / MBOX_WORD_BYTE;
/* Prepare crypto header */
@@ -1149,6 +1158,12 @@
FCS_CS_FIELD_FLAG_FINALIZE) {
/* Copy mac data to command */
mac_offset = src_addr + data_size;
+
+ if ((i + ((src_size - data_size) / MBOX_WORD_BYTE)) >
+ FCS_MAC_VERIFY_CMD_MAX_WORD_SIZE) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
memcpy((uint8_t *) &payload[i], (uint8_t *) mac_offset,
src_size - data_size);
@@ -1189,7 +1204,7 @@
uint32_t resp_len;
uint32_t payload[FCS_MAC_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
uintptr_t mac_offset;
-
+ uint32_t dst_size_check = 0;
/*
* Source data must be 4 bytes aligned
* User data must be 8 bytes aligned
@@ -1214,6 +1229,14 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ dst_size_check = *dst_size;
+ if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+ dst_size_check < FCS_MIN_DATA_SIZE) ||
+ (src_size > FCS_MAX_DATA_SIZE ||
+ src_size < FCS_MIN_DATA_SIZE)) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
resp_len = *dst_size / MBOX_WORD_BYTE;
/* Prepare crypto header */
@@ -1269,6 +1292,12 @@
* mac_offset = MAC data
*/
mac_offset = dst_addr;
+
+ if ((i + ((src_size - data_size) / MBOX_WORD_BYTE)) >
+ FCS_MAC_VERIFY_CMD_MAX_WORD_SIZE) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
memcpy((uint8_t *) &payload[i], (uint8_t *) mac_offset,
src_size - data_size);
@@ -1316,6 +1345,7 @@
uint32_t payload[FCS_ECDSA_HASH_SIGN_CMD_MAX_WORD_SIZE] = {0U};
uint32_t resp_len;
uintptr_t hash_data_addr;
+ uint32_t dst_size_check = 0;
if ((dst_size == NULL) || (mbox_error == NULL)) {
return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -1331,6 +1361,14 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ dst_size_check = *dst_size;
+ if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+ dst_size_check < FCS_MIN_DATA_SIZE) ||
+ (src_size > FCS_MAX_DATA_SIZE ||
+ src_size < FCS_MIN_DATA_SIZE)) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
resp_len = *dst_size / MBOX_WORD_BYTE;
/* Prepare command payload */
@@ -1357,6 +1395,12 @@
/* Hash Data */
i++;
hash_data_addr = src_addr;
+
+ if ((i + ((src_size) / MBOX_WORD_BYTE)) >
+ FCS_ECDSA_HASH_SIGN_CMD_MAX_WORD_SIZE) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
memcpy((uint8_t *) &payload[i], (uint8_t *) hash_data_addr,
src_size);
@@ -1400,6 +1444,7 @@
uint32_t payload[FCS_ECDSA_HASH_SIG_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
uint32_t resp_len;
uintptr_t hash_sig_pubkey_addr;
+ uint32_t dst_size_check = 0;
if ((dst_size == NULL) || (mbox_error == NULL)) {
return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -1415,6 +1460,14 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ dst_size_check = *dst_size;
+ if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+ dst_size_check < FCS_MIN_DATA_SIZE) ||
+ (src_size > FCS_MAX_DATA_SIZE ||
+ src_size < FCS_MIN_DATA_SIZE)) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
resp_len = *dst_size / MBOX_WORD_BYTE;
/* Prepare command payload */
@@ -1443,6 +1496,12 @@
/* Hash Data Word, Signature Data Word and Public Key Data word */
i++;
hash_sig_pubkey_addr = src_addr;
+
+ if ((i + ((src_size) / MBOX_WORD_BYTE)) >
+ FCS_ECDSA_HASH_SIG_VERIFY_CMD_MAX_WORD_SIZE) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
memcpy((uint8_t *) &payload[i],
(uint8_t *) hash_sig_pubkey_addr, src_size);
@@ -1690,6 +1749,7 @@
uint32_t payload[FCS_ECDSA_SHA2_DATA_SIG_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
uint32_t resp_len;
uintptr_t sig_pubkey_offset;
+ uint32_t dst_size_check = 0;
if ((dst_size == NULL) || (mbox_error == NULL)) {
return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -1700,6 +1760,10 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ if (data_size > src_size) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
if (!is_size_4_bytes_aligned(src_size)) {
return INTEL_SIP_SMC_STATUS_REJECTED;
}
@@ -1714,6 +1778,14 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ dst_size_check = *dst_size;
+ if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+ dst_size_check < FCS_MIN_DATA_SIZE) ||
+ (src_size > FCS_MAX_DATA_SIZE ||
+ src_size < FCS_MIN_DATA_SIZE)) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
resp_len = *dst_size / MBOX_WORD_BYTE;
/* Prepare crypto header */
@@ -1761,6 +1833,12 @@
FCS_CS_FIELD_FLAG_FINALIZE) {
/* Signature + Public Key Data */
sig_pubkey_offset = src_addr + data_size;
+
+ if ((i + ((src_size - data_size) / MBOX_WORD_BYTE)) >
+ FCS_ECDSA_SHA2_DATA_SIG_VERIFY_CMD_MAX_WORD_SIZE) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
memcpy((uint8_t *) &payload[i], (uint8_t *) sig_pubkey_offset,
src_size - data_size);
@@ -1801,6 +1879,7 @@
uint32_t payload[FCS_ECDSA_SHA2_DATA_SIG_VERIFY_CMD_MAX_WORD_SIZE] = {0U};
uint32_t resp_len;
uintptr_t sig_pubkey_offset;
+ uint32_t dst_size_check = 0;
/*
* Source data must be 4 bytes aligned
@@ -1819,11 +1898,23 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ if (data_size > src_size) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
if (!is_address_in_ddr_range(src_addr, src_size) ||
!is_address_in_ddr_range(dst_addr, *dst_size)) {
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ dst_size_check = *dst_size;
+ if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+ dst_size_check < FCS_MIN_DATA_SIZE) ||
+ (src_size > FCS_MAX_DATA_SIZE ||
+ src_size < FCS_MIN_DATA_SIZE)) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
resp_len = *dst_size / MBOX_WORD_BYTE;
/* Prepare crypto header */
@@ -1874,6 +1965,12 @@
* sig_pubkey_offset is Signature + Public Key Data
*/
sig_pubkey_offset = dst_addr;
+
+ if ((i + ((src_size - data_size) / MBOX_WORD_BYTE)) >
+ FCS_ECDSA_SHA2_DATA_SIG_VERIFY_CMD_MAX_WORD_SIZE) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
memcpy((uint8_t *) &payload[i], (uint8_t *) sig_pubkey_offset,
src_size - data_size);
@@ -1990,11 +2087,13 @@
uint32_t payload[FCS_ECDH_REQUEST_CMD_MAX_WORD_SIZE] = {0U};
uint32_t resp_len;
uintptr_t pubkey;
+ uint32_t dst_size_check = 0;
if ((dst_size == NULL) || (mbox_error == NULL)) {
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+
if (fcs_ecdh_request_param.session_id != session_id ||
fcs_ecdh_request_param.context_id != context_id) {
return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -2005,6 +2104,14 @@
return INTEL_SIP_SMC_STATUS_REJECTED;
}
+ dst_size_check = *dst_size;
+ if ((dst_size_check > FCS_MAX_DATA_SIZE ||
+ dst_size_check < FCS_MIN_DATA_SIZE) ||
+ (src_size > FCS_MAX_DATA_SIZE ||
+ src_size < FCS_MIN_DATA_SIZE)) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
resp_len = *dst_size / MBOX_WORD_BYTE;
/* Prepare command payload */
@@ -2028,6 +2135,12 @@
i++;
/* Public key data */
pubkey = src_addr;
+
+ if ((i + ((src_size) / MBOX_WORD_BYTE)) >
+ FCS_ECDH_REQUEST_CMD_MAX_WORD_SIZE) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
memcpy((uint8_t *) &payload[i], (uint8_t *) pubkey, src_size);
i += src_size / MBOX_WORD_BYTE;
@@ -2162,6 +2275,11 @@
fcs_aes_crypt_payload[i] = fcs_aes_init_payload.key_id;
i++;
+ if ((i + ((fcs_aes_init_payload.param_size) / MBOX_WORD_BYTE)) >
+ FCS_AES_CMD_MAX_WORD_SIZE) {
+ return INTEL_SIP_SMC_STATUS_REJECTED;
+ }
+
memcpy((uint8_t *) &fcs_aes_crypt_payload[i],
(uint8_t *) fcs_aes_init_payload.crypto_param,
fcs_aes_init_payload.param_size);