|
 |
b9d646 |
From 58ee0fd916671942e62ac9930f18225761a6dd66 Mon Sep 17 00:00:00 2001
|
|
|
b9d646 |
From: Joe Richey <joerichey@google.com>
|
|
|
b9d646 |
Date: Tue, 21 Jan 2020 20:04:45 -0800
|
|
|
b9d646 |
Subject: [PATCH] mu: Remove use of VLAs for Marshalling TPML types
|
|
|
b9d646 |
|
|
|
b9d646 |
All of the `Tss2_MU_*_Marshal()` functions have the property that
|
|
|
b9d646 |
`buffer` can be NULL, `offset` can be NULL, but both cannot be
|
|
|
b9d646 |
NULL. Some Marshal functions check this directly (returning
|
|
|
b9d646 |
`TSS2_MU_RC_BAD_REFERENCE` on error), but most do this by composing
|
|
|
b9d646 |
existing Marshalling functions together.
|
|
|
b9d646 |
|
|
|
b9d646 |
The TMPL Marshal functions does things differently, it creates a local
|
|
|
b9d646 |
VLA `local_buffer[buffer_size]` and uses that as the buffer pointer if
|
|
|
b9d646 |
a NULL buffer is given. This is unnecessary, as this pointer is only
|
|
|
b9d646 |
used for debug logging and passed to other Marshalling functions, which
|
|
|
b9d646 |
will correctly handle a NULL buffer.
|
|
|
b9d646 |
|
|
|
b9d646 |
Note that the VLA in the existing code is of length `buffer_size` (the
|
|
|
b9d646 |
length of the _entire_ buffer, _not_ the length of the data being
|
|
|
b9d646 |
unmarshaled). This can potentially result in a very large stack
|
|
|
b9d646 |
allocation, or stack overflow.
|
|
|
b9d646 |
|
|
|
b9d646 |
Signed-off-by: Joe Richey <joerichey@google.com>
|
|
|
b9d646 |
---
|
|
|
b9d646 |
src/tss2-mu/tpml-types.c | 11 +++--------
|
|
|
b9d646 |
1 file changed, 3 insertions(+), 8 deletions(-)
|
|
|
b9d646 |
|
|
|
b9d646 |
diff --git a/src/tss2-mu/tpml-types.c b/src/tss2-mu/tpml-types.c
|
|
|
b9d646 |
index 9506a26efd14..ae1ed6177d75 100644
|
|
|
b9d646 |
--- a/src/tss2-mu/tpml-types.c
|
|
|
b9d646 |
+++ b/src/tss2-mu/tpml-types.c
|
|
|
b9d646 |
@@ -29,8 +29,6 @@ TSS2_RC Tss2_MU_##type##_Marshal(type const *src, uint8_t buffer[], \
|
|
|
b9d646 |
size_t local_offset = 0; \
|
|
|
b9d646 |
UINT32 i, count = 0; \
|
|
|
b9d646 |
TSS2_RC ret = TSS2_RC_SUCCESS; \
|
|
|
b9d646 |
- uint8_t *buf_ptr = buffer; \
|
|
|
b9d646 |
- uint8_t local_buffer[buffer_size]; \
|
|
|
b9d646 |
\
|
|
|
b9d646 |
if (offset != NULL) { \
|
|
|
b9d646 |
LOG_TRACE("offset non-NULL, initial value: %zu", *offset); \
|
|
|
b9d646 |
@@ -60,24 +58,21 @@ TSS2_RC Tss2_MU_##type##_Marshal(type const *src, uint8_t buffer[], \
|
|
|
b9d646 |
LOG_WARNING("count too big"); \
|
|
|
b9d646 |
return TSS2_SYS_RC_BAD_VALUE; \
|
|
|
b9d646 |
} \
|
|
|
b9d646 |
-\
|
|
|
b9d646 |
- if (buf_ptr == NULL) \
|
|
|
b9d646 |
- buf_ptr = local_buffer; \
|
|
|
b9d646 |
\
|
|
|
b9d646 |
LOG_DEBUG(\
|
|
|
b9d646 |
"Marshalling " #type " from 0x%" PRIxPTR " to buffer 0x%" PRIxPTR \
|
|
|
b9d646 |
" at index 0x%zx", \
|
|
|
b9d646 |
(uintptr_t)&src, \
|
|
|
b9d646 |
- (uintptr_t)buf_ptr, \
|
|
|
b9d646 |
+ (uintptr_t)buffer, \
|
|
|
b9d646 |
local_offset); \
|
|
|
b9d646 |
\
|
|
|
b9d646 |
- ret = Tss2_MU_UINT32_Marshal(src->count, buf_ptr, buffer_size, &local_offset); \
|
|
|
b9d646 |
+ ret = Tss2_MU_UINT32_Marshal(src->count, buffer, buffer_size, &local_offset); \
|
|
|
b9d646 |
if (ret) \
|
|
|
b9d646 |
return ret; \
|
|
|
b9d646 |
\
|
|
|
b9d646 |
for (i = 0; i < src->count; i++) \
|
|
|
b9d646 |
{ \
|
|
|
b9d646 |
- ret = marshal_func(op src->buf_name[i], buf_ptr, buffer_size, &local_offset); \
|
|
|
b9d646 |
+ ret = marshal_func(op src->buf_name[i], buffer, buffer_size, &local_offset); \
|
|
|
b9d646 |
if (ret) \
|
|
|
b9d646 |
return ret; \
|
|
|
b9d646 |
} \
|
|
|
b9d646 |
--
|
|
|
b9d646 |
2.27.0
|
|
|
b9d646 |
|