Measured boot: Limit output param sizes to buffer size
The measured boot read API receives requested output parameter sizes
from the caller via the iovec out_size and passes them to the internal
API as the buffer size for the parameters.
However, the caller could send a requested size much larger than size of
the local buffer. In theory, that could lead to the internal API writing
past the end of the local buffer, but it cannot happen in practice
because the local buffer is large enough for the largest response.
Even so, it is good practice to sanitise parameters from the untrusted
caller to guarantee that buffer overrun will not happen, so this patch
limits the sizes to the buffer size.
Signed-off-by: Jamie Fox <jamie.fox@arm.com>
Change-Id: I2fa260297f4c6088a8cdf4f5e940cdd3d00ae9e8
diff --git a/partitions/measured_boot/measured_boot_req_mngr.c b/partitions/measured_boot/measured_boot_req_mngr.c
index c248136..8f27536 100644
--- a/partitions/measured_boot/measured_boot_req_mngr.c
+++ b/partitions/measured_boot/measured_boot_req_mngr.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -15,6 +15,8 @@
#include "psa/crypto.h"
#include "psa_manifest/tfm_measured_boot.h"
+#define MIN(x, y) (((x) < (y)) ? (x) : (y))
+
/* TODO: This info will be used later on as input to decide access control */
static int32_t g_measured_boot_caller_id;
@@ -32,8 +34,9 @@
/* store the client ID here for later use in service */
g_measured_boot_caller_id = msg->client_id;
- signer_id_size = msg->out_size[1];
- measurement_value_size = msg->out_size[2];
+ /* Limit requested sizes to the size of the local buffers */
+ signer_id_size = MIN(msg->out_size[1], sizeof(signer_id));
+ measurement_value_size = MIN(msg->out_size[2], sizeof(measurement_value));
/* Check input parameter */
if ((msg->in_size[0] != sizeof(struct measured_boot_read_iovec_in_t)) ||