From c563d34fc14dfb4e57e1841725dfb778e623e681 Mon Sep 17 00:00:00 2001
From: Jacob Garber <jgarber1@ualberta.ca>
Date: Fri, 6 Sep 2019 13:29:33 -0600
Subject: security/tpm: Use correct hash digest lengths
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

TPMU_HA is a union of all the different hash digests, and so
sizeof(TPMU_HA) evaluates to 64 (the size of the largest one). This will
lead to out-of-bounds writes when copying smaller digests, so use the
specific digest size for each algorithm.

Change-Id: Ic9101f157d5a19836b200ecd99f060de552498d2
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Found-by: Coverity CID 14049{49,50,51,52,53,54,55,56,57,58,60,61,62}
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35287
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
---
 src/security/tpm/tspi/tspi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/security/tpm/tspi/tspi.c')

diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c
index 4cf371196e..e64e04fbbe 100644
--- a/src/security/tpm/tspi/tspi.c
+++ b/src/security/tpm/tspi/tspi.c
@@ -219,12 +219,12 @@ uint32_t tpm_extend_pcr(int pcr, enum vb2_hash_algorithm digest_algo,
 	case VB2_HASH_SHA1:
 		tpml_digests.digests[0].hashAlg = TPM_ALG_SHA1;
 		memcpy(tpml_digests.digests[0].digest.sha1,
-		       digest, sizeof(TPMU_HA));
+		       digest, SHA1_DIGEST_SIZE);
 		break;
 	case VB2_HASH_SHA256:
 		tpml_digests.digests[0].hashAlg = TPM_ALG_SHA256;
 		memcpy(tpml_digests.digests[0].digest.sha256,
-		       digest, sizeof(TPMU_HA));
+		       digest, SHA256_DIGEST_SIZE);
 		break;
 	default:
 		return TPM_E_IOERROR;
-- 
cgit v1.2.3