From 46ffccd753f5a350265b8650a83ba51972a5a0cf Mon Sep 17 00:00:00 2001 From: Jeremy Compostella Date: Thu, 8 Sep 2022 13:47:35 -0700 Subject: util/ifittool: Fix buffer overflow with padded microcode patches Some microcode patches are padded with zeros, which make parse_microcode_blob() read beyond the end of the buffer. BRANCH=firmware-brya-14505.B BUG=b:245380705 TEST=No segmentation fault with a padded microcode patch Signed-off-by: Jeremy Compostella Change-Id: Id9c5fb6c1e264f3f5137d29201b9021c72d78fdd Reviewed-on: https://review.coreboot.org/c/coreboot/+/67460 Reviewed-by: Tim Wawrzynczak Tested-by: build bot (Jenkins) Reviewed-by: Cliff Huang Reviewed-by: Nick Vaccaro Reviewed-by: Angel Pons --- util/cbfstool/fit.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/util/cbfstool/fit.c b/util/cbfstool/fit.c index 89b0fd28d9..7f8218a745 100644 --- a/util/cbfstool/fit.c +++ b/util/cbfstool/fit.c @@ -297,7 +297,8 @@ parse_microcode_blob(struct cbfs_image *image, uint32_t total_size = mcu_header->total_size ?: 2048; /* Quickly sanity check a prospective microcode update. */ - if (total_size < sizeof(*mcu_header)) + if (total_size < sizeof(*mcu_header) || + total_size > file_length) break; /* FIXME: Should the checksum be validated? */ -- cgit v1.2.3