cbfstool: Fix CBFS header buffer overflow

In the unlikely but possible event where the name of the CBFS file is longer than 232 characters, `cbfs_create_file_header()' would overflow the buffer it allocated when it copies the CBFS filename. Change-Id: If1825b5af21f7a20ce2a7ccb2d45b195c2fb67b0 Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/78500 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Eric Lai <ericllai@google.com> Reviewed-by: Julius Werner <jwerner@chromium.org>
2023-10-23 13:00:33 -07:00
parent 3e57c57480
commit 66df100930
2 changed files with 30 additions and 12 deletions
--- a/util/cbfstool/cbfstool.c
+++ b/util/cbfstool/cbfstool.c
@@ -650,6 +650,8 @@ static int cbfs_add_integer_component(const char *name,

 	header = cbfs_create_file_header(CBFS_TYPE_RAW,
 		buffer.size, name);
+	if (!header)
+		goto done;

 	enum vb2_hash_algorithm algo = get_mh_cache()->cbfs_hash.algo;
 	if (algo != VB2_HASH_INVALID)
@@ -774,6 +776,8 @@ static int cbfs_add_master_header(void)
 	/* Never add a hash attribute to the master header. */
 	header = cbfs_create_file_header(CBFS_TYPE_CBFSHEADER,
 		buffer_size(&buffer), name);
+	if (!header)
+		goto done;
 	if (cbfs_add_entry(&image, &buffer, 0, header, 0) != 0) {
 		ERROR("Failed to add cbfs master header into ROM image.\n");
 		goto done;
@@ -915,6 +919,8 @@ static int cbfs_add_component(const char *filename,

 	struct cbfs_file *header =
 		cbfs_create_file_header(param.type, buffer.size, name);
+	if (!header)
+		goto error;

 	/* Bootblock and CBFS header should never have file hashes. When adding
 	   the bootblock it is important that we *don't* look up the metadata