security/tpm: Use correct hash digest lengths

TPMU_HA is a union of all the different hash digests, and so
sizeof(TPMU_HA) evaluates to 64 (the size of the largest one). This will
lead to out-of-bounds writes when copying smaller digests, so use the
specific digest size for each algorithm.

Change-Id: Ic9101f157d5a19836b200ecd99f060de552498d2
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Found-by: Coverity CID 14049{49,50,51,52,53,54,55,56,57,58,60,61,62}
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35287
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
This commit is contained in:
Jacob Garber 2019-09-06 13:29:33 -06:00 committed by Philipp Deppenwiese
parent 5f1786fc9c
commit c563d34fc1
2 changed files with 7 additions and 7 deletions

View File

@ -219,12 +219,12 @@ uint32_t tpm_extend_pcr(int pcr, enum vb2_hash_algorithm digest_algo,
case VB2_HASH_SHA1: case VB2_HASH_SHA1:
tpml_digests.digests[0].hashAlg = TPM_ALG_SHA1; tpml_digests.digests[0].hashAlg = TPM_ALG_SHA1;
memcpy(tpml_digests.digests[0].digest.sha1, memcpy(tpml_digests.digests[0].digest.sha1,
digest, sizeof(TPMU_HA)); digest, SHA1_DIGEST_SIZE);
break; break;
case VB2_HASH_SHA256: case VB2_HASH_SHA256:
tpml_digests.digests[0].hashAlg = TPM_ALG_SHA256; tpml_digests.digests[0].hashAlg = TPM_ALG_SHA256;
memcpy(tpml_digests.digests[0].digest.sha256, memcpy(tpml_digests.digests[0].digest.sha256,
digest, sizeof(TPMU_HA)); digest, SHA256_DIGEST_SIZE);
break; break;
default: default:
return TPM_E_IOERROR; return TPM_E_IOERROR;

View File

@ -148,27 +148,27 @@ uint32_t tlcl_extend(int pcr_num, const uint8_t *in_digest,
case TPM_ALG_SHA1: case TPM_ALG_SHA1:
memcpy(pcr_ext_cmd.digests.digests[i].digest.sha1, memcpy(pcr_ext_cmd.digests.digests[i].digest.sha1,
tpml_digests->digests[i].digest.sha1, tpml_digests->digests[i].digest.sha1,
sizeof(TPMU_HA)); SHA1_DIGEST_SIZE);
break; break;
case TPM_ALG_SHA256: case TPM_ALG_SHA256:
memcpy(pcr_ext_cmd.digests.digests[i].digest.sha256, memcpy(pcr_ext_cmd.digests.digests[i].digest.sha256,
tpml_digests->digests[i].digest.sha256, tpml_digests->digests[i].digest.sha256,
sizeof(TPMU_HA)); SHA256_DIGEST_SIZE);
break; break;
case TPM_ALG_SHA384: case TPM_ALG_SHA384:
memcpy(pcr_ext_cmd.digests.digests[i].digest.sha384, memcpy(pcr_ext_cmd.digests.digests[i].digest.sha384,
tpml_digests->digests[i].digest.sha384, tpml_digests->digests[i].digest.sha384,
sizeof(TPMU_HA)); SHA384_DIGEST_SIZE);
break; break;
case TPM_ALG_SHA512: case TPM_ALG_SHA512:
memcpy(pcr_ext_cmd.digests.digests[i].digest.sha512, memcpy(pcr_ext_cmd.digests.digests[i].digest.sha512,
tpml_digests->digests[i].digest.sha512, tpml_digests->digests[i].digest.sha512,
sizeof(TPMU_HA)); SHA512_DIGEST_SIZE);
break; break;
case TPM_ALG_SM3_256: case TPM_ALG_SM3_256:
memcpy(pcr_ext_cmd.digests.digests[i].digest.sm3_256, memcpy(pcr_ext_cmd.digests.digests[i].digest.sm3_256,
tpml_digests->digests[i].digest.sm3_256, tpml_digests->digests[i].digest.sm3_256,
sizeof(TPMU_HA)); SM3_256_DIGEST_SIZE);
break; break;
} }
} }