ANDROID: pvmfw: Prevent OOB through underflow

Verify that the size of the AVB-signed image (received from the VMM through the registers at boot) is large enough to contain the necessary AVB footer, which has to be accessed to locate the VBMeta image and obtain the actual size of the image that was signed. This removes a potential OOB access in alloc_avb_ops() when: const void *avb_footer = image + size - AVB_FOOTER_SIZE; if size < AVB_FOOTER_SIZE. Bug: 229963796 Change-Id: I238f30c6921ee49db1b0d36487c77c34b2f6bb0d
author: Pierre-Clément Tosi <ptosi@google.com> 2022-04-22 10:01:43 +0100
committer: Pierre-Clément Tosi <ptosi@google.com> 2022-04-22 17:45:56 +0100
commit: 42ea76e410513cc47c1bb3e939df82b7ef30a8b4 (patch)
tree: cd900a5fa8d6887064765829a253262470dcab23
parent: 240b1249073c572ed8d2aedfdcbbf49aa10ac813 (diff)
download: u-boot-42ea76e410513cc47c1bb3e939df82b7ef30a8b4.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/board/android/pvmfw-arm64/boot.c b/board/android/pvmfw-arm64/boot.c
index 0febd72f18..6fdb124460 100644
--- a/board/android/pvmfw-arm64/boot.c
+++ b/board/android/pvmfw-arm64/boot.c
@@ -156,7 +156,8 @@ static struct AvbOps *alloc_avb_ops(void *image, size_t size)
 	if (!ops)
 		return NULL;
 
-	if (!avb_footer_validate_and_byteswap(avb_footer, &footer) ||
+	if (size < AVB_FOOTER_SIZE ||
+	    !avb_footer_validate_and_byteswap(avb_footer, &footer) ||
 	    !is_valid_ram_region(image, footer.original_image_size) ||
 	    !is_valid_ram_region(image + footer.vbmeta_offset, VBMETA_MAX_SIZE))
 		goto free_ops;
author	Pierre-Clément Tosi <ptosi@google.com>	2022-04-22 10:01:43 +0100
committer	Pierre-Clément Tosi <ptosi@google.com>	2022-04-22 17:45:56 +0100
commit	42ea76e410513cc47c1bb3e939df82b7ef30a8b4 (patch)
tree	cd900a5fa8d6887064765829a253262470dcab23
parent	240b1249073c572ed8d2aedfdcbbf49aa10ac813 (diff)
download	u-boot-42ea76e410513cc47c1bb3e939df82b7ef30a8b4.tar.gz