FAPI: validate eventlog size before first dereference in parse_eventlog#3077
Open
MarkLee131 wants to merge 1 commit intotpm2-software:masterfrom
Open
FAPI: validate eventlog size before first dereference in parse_eventlog#3077MarkLee131 wants to merge 1 commit intotpm2-software:masterfrom
MarkLee131 wants to merge 1 commit intotpm2-software:masterfrom
Conversation
Member
|
@MarkLee131 Thank you for the PR. Could you please sign the commits.
This ensures that the code will not break during your pull request. |
MarkLee131
force-pushed
the
fix/parse-eventlog-bound-check
branch
from
30fa3de to
8ec0573
Compare
parse_eventlog dereferences event->eventType (offset 4 of TCG_EVENT)
before validating that the input buffer is at least sizeof(TCG_EVENT)
bytes. Any caller that passes a buffer shorter than 8 bytes triggers
a heap OOB read on the first field access.
Public Fapi_GetEventLog is currently safe because file_to_buffer always
calloc(1, UINT16_MAX) and the offset-4 read lands on zero padding, but
the function-level invariant is wrong: parse_eventlog accepts a (buffer,
size) pair and uses size correctly later (for foreach_event2,
specid_event), only the first dereference skips the precondition check.
Add the up-front size check, matching the bound-check convention already
used throughout this file (lines 117, 124, 232, 250, 256, 269, 280, ...).
size == 0 is treated as "no events" (return true), matching the
existing idiom in foreach_sha1_log_event (line 295) and foreach_event2
(line 345); this preserves the /dev/null firmware-log case used by
fapi-quote-destructive-eventlog-null.
Reproduction (direct call into ifapi_tcg_eventlog_serialize with a
4-byte malloc, ASAN):
==ERROR: AddressSanitizer: heap-buffer-overflow ... READ of size 4
#0 parse_eventlog ifapi_eventlog_system.c:698
tpm2-software#1 ifapi_tcg_eventlog_serialize ifapi_json_eventlog_serialize.c:921
located 0 bytes after 4-byte region
Signed-off-by: MarkLee131 <kaixuan.li@ntu.edu.sg>
MarkLee131
force-pushed
the
fix/parse-eventlog-bound-check
branch
from
8ec0573 to
0cc51c0
Compare
Author
|
Hi @JuergenReppSIT, I have completed the requested updates, and all CI checks are now passing. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix #3076:
parse_eventlog dereferences event->eventType (offset 4 of TCG_EVENT) before validating that the input buffer is at least sizeof(TCG_EVENT) bytes. Any caller that passes a buffer shorter than 8 bytes triggers a heap OOB read on the first field access, including the empty-buffer case.
Public Fapi_GetEventLog is currently safe because file_to_buffer always calloc(1, UINT16_MAX) and the offset-4 read lands on zero padding, but the function-level invariant is wrong: parse_eventlog accepts a (buffer, size) pair and uses size correctly later (for foreach_event2, specid_event), only the first dereference skips the precondition check.
Add the up-front size check, matching the bound-check convention already used throughout this file (lines 117, 124, 232, 250, 256, 269, 280, ...).