commit a286b57f1721af215ace318d5807e63f40186df6
author Etienne Carriere <etienne.carriere@foss.st.com> Wed Jun 28 14:30:19 2023 +0200
committer Jérôme Forissier <jerome@forissier.org> Wed Jun 28 15:57:22 2023 +0200
tree fe7041568b6f67583f6719d764457027504cbd3a
parent 232dfd28c6295d12c34df861bed1e6f8caf9ab3b

regression_4006: fix fuzzing shared memory content

Explicit uses the stack to refer to attribute TEE_ATTR_RSA_OAEP_MGF_HASH
passed to the crypt TA in tests regression 4006.37 and 4006.38 as
the current implementation makes to TA to see an uninitialized buffer
reference.

Link: https://github.com/OP-TEE/optee_os/issues/6143
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

host/xtest/regression_4000.c

diff --git a/host/xtest/regression_4000.c b/host/xtest/regression_4000.c
index 505c981..883c560 100644
--- a/host/xtest/regression_4000.c
+++ b/host/xtest/regression_4000.c
@@ -3832,6 +3832,7 @@
 	uint32_t pub_key_type = 0;
 	uint32_t priv_key_type = 0;
 	uint32_t hash_algo = 0;
+	uint32_t sha1_algo_id = TEE_ALG_SHA1;
 
 	if (!ADBG_EXPECT_TEEC_SUCCESS(c,
 		xtest_teec_open_session(&session, &crypt_user_ta_uuid, NULL,
@@ -4132,9 +4133,9 @@
 				algo_params[0].attributeID =
 					TEE_ATTR_RSA_OAEP_MGF_HASH;
 				algo_params[0].content.ref.length =
-					sizeof(uint32_t);
+					sizeof(sha1_algo_id);
 				algo_params[0].content.ref.buffer =
-					&(uint32_t){TEE_ALG_SHA1};
+					&sha1_algo_id;
 				num_algo_params = 1;
 			}