diff options
author | Gabe Black <gabeblack@chromium.org> | 2011-12-20 01:46:46 -0800 |
---|---|---|
committer | Gabe Black <gabeblack@chromium.org> | 2011-12-20 13:03:15 -0800 |
commit | 33bfb5df7c4997e2690227c45621f68db06dbfb3 (patch) | |
tree | 3f4aebaa9c5b7c98793e393792385b2f1945d613 /include | |
parent | 955f0be509f6b55d84beb0809488f8c3f7877111 (diff) |
Security: Make sure not to overflow the in memory version of the GBB
This change plumbs the size of the GBB specified in the device tree to the
functions that read it from the flash into memory, and adds checks to those
functions to make sure they don't spill out of the in memory GBB. From a
security standpoint this is a largely theoretical problem since the GBB is
in the read only portion of flash and if that can be modified the machine
is totally compromised, but it's possible somehow an attacker could force
vboot to read the GBB from the wrong place. From a practical perspective
it's not a bad idea to check this to avoid accidental memory corruption.
BUG=chromium-os:24223
TEST=Built and booted on Lumpy. Built for Kaen.
Change-Id: I4f33552f9d27321e73659520b08be52d775a6a9b
Signed-off-by: Gabe Black <gabeblack@google.com>
Reviewed-on: https://gerrit.chromium.org/gerrit/13228
Reviewed-by: Che-Liang Chiou <clchiou@chromium.org>
Reviewed-by: Stefan Reinauer <reinauer@chromium.org>
Tested-by: Gabe Black <gabeblack@chromium.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/chromeos/gbb.h | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/include/chromeos/gbb.h b/include/chromeos/gbb.h index c3bc304b38e..d3770f51b1a 100644 --- a/include/chromeos/gbb.h +++ b/include/chromeos/gbb.h @@ -22,9 +22,11 @@ * @param gbb Buffer for holding GBB * @param file Flashrom device handle * @param gbb_offset Offset of GBB in flashrom device + * @param gbb_size Size of the buffer holding GBB * @return zero if this succeeds, non-zero if this fails */ -int gbb_init(read_buf_type gbb, firmware_storage_t *file, uint32_t gbb_offset); +int gbb_init(read_buf_type gbb, firmware_storage_t *file, uint32_t gbb_offset, + size_t gbb_size); #ifndef CONFIG_HARDWARE_MAPPED_SPI /** @@ -33,10 +35,11 @@ int gbb_init(read_buf_type gbb, firmware_storage_t *file, uint32_t gbb_offset); * @param gbb Buffer for holding GBB * @param file Flashrom device handle * @param gbb_offset Offset of GBB in flashrom device + * @param gbb_size Size of the buffer holding GBB * @return zero if this succeeds, non-zero if this fails */ -int gbb_read_bmp_block(read_buf_type gbb, - firmware_storage_t *file, uint32_t gbb_offset); +int gbb_read_bmp_block(read_buf_type gbb, firmware_storage_t *file, + uint32_t gbb_offset, size_t gbb_size); /* * This loads the recovery key of GBB from flashrom. @@ -44,10 +47,11 @@ int gbb_read_bmp_block(read_buf_type gbb, * @param gbb Buffer for holding GBB * @param file Flashrom device handle * @param gbb_offset Offset of GBB in flashrom device + * @param gbb_size Size of the buffer holding GBB * @return zero if this succeeds, non-zero if this fails */ -int gbb_read_recovery_key(read_buf_type gbb, - firmware_storage_t *file, uint32_t gbb_offset); +int gbb_read_recovery_key(read_buf_type gbb, firmware_storage_t *file, + uint32_t gbb_offset, size_t gbb_size); #else |