Fix memory overflow error when parsing PSP/BIOS directory tables with very big value of TotalEntries

Fix errors contents in Find PSP/BIOS directory functions

Signed-off-by: Ilya <rihter007@inbox.ru>

Author: rihter007

pkg/amd/manifest/bios_directory_table.go

@@ -55,6 +55,8 @@ type BIOSDirectoryTableEntry struct {
 	DestinationAddress uint64
 }
 
+const BIOSDirectoryTableEntrySize = 16
+
 // BIOSDirectoryTableHeader represents a BIOS Directory Table Header
 // Table 11 from (1)
 type BIOSDirectoryTableHeader struct {
@@ -125,7 +127,7 @@ func FindBIOSDirectoryTable(image []byte) (*BIOSDirectoryTable, bytes2.Range, er
 			break
 		}
 
-		table, bytesRead, err := ParseBIOSDirectoryTable(bytes.NewBuffer(image[idx:]))
+		table, bytesRead, err := ParseBIOSDirectoryTable(image[idx:])
 		if err != nil {
 			shift := uint64(idx + len(cookieBytes))
 			image = image[shift:]
@@ -134,13 +136,15 @@ func FindBIOSDirectoryTable(image []byte) (*BIOSDirectoryTable, bytes2.Range, er
 		}
 		return table, bytes2.Range{Offset: offset + uint64(idx), Length: bytesRead}, err
 	}
-	return nil, bytes2.Range{}, fmt.Errorf("EmbeddedFirmwareStructure is not found")
+	return nil, bytes2.Range{}, fmt.Errorf("BIOSDirectoryTable is not found")
 }
 
 // ParseBIOSDirectoryTable converts input bytes into BIOSDirectoryTable
-func ParseBIOSDirectoryTable(r io.Reader) (*BIOSDirectoryTable, uint64, error) {
+func ParseBIOSDirectoryTable(data []byte) (*BIOSDirectoryTable, uint64, error) {
 	var table BIOSDirectoryTable
 	var totalLength uint64
+
+	r := bytes.NewBuffer(data)
 	if err := readAndCountSize(r, binary.LittleEndian, &table.BIOSCookie, &totalLength); err != nil {
 		return nil, 0, err
 	}
@@ -151,13 +155,19 @@ func ParseBIOSDirectoryTable(r io.Reader) (*BIOSDirectoryTable, uint64, error) {
 	if err := readAndCountSize(r, binary.LittleEndian, &table.Checksum, &totalLength); err != nil {
 		return nil, 0, err
 	}
+
 	if err := readAndCountSize(r, binary.LittleEndian, &table.TotalEntries, &totalLength); err != nil {
 		return nil, 0, err
 	}
 	if err := readAndCountSize(r, binary.LittleEndian, &table.Reserved, &totalLength); err != nil {
 		return nil, 0, err
 	}
 
+	sizeRequired := uint64(table.TotalEntries) * BIOSDirectoryTableEntrySize
+	if uint64(r.Len()) < sizeRequired {
+		return nil, 0, fmt.Errorf("not enough data, required: %d, actual: %d", sizeRequired+totalLength, len(data))
+	}
+
 	table.Entries = make([]BIOSDirectoryTableEntry, 0, table.TotalEntries)
 	for idx := uint32(0); idx < table.TotalEntries; idx++ {
 		entry, length, err := ParseBIOSDirectoryTableEntry(r)

pkg/amd/manifest/bios_directory_table_test.go

@@ -5,7 +5,6 @@
 package manifest
 
 import (
-	"bytes"
 	"encoding/binary"
 	"testing"
 )
@@ -51,7 +50,7 @@ func TestFindBIOSDirectoryTable(t *testing.T) {
 	t.Run("bios_table_cookie_found", func(t *testing.T) {
 		table, r, err := FindBIOSDirectoryTable(append(firmwareChunk, biosDirectoryTableDataChunk...))
 		if err != nil {
-			t.Fatalf("Unexecpted error when finding BIOS Directory table")
+			t.Fatalf("Unexecpted error when finding BIOS Directory table: %v", err)
 		}
 		if r.Offset != uint64(len(firmwareChunk)) {
 			t.Errorf("BIOS Directory Table address is incorrect: %d, expected: %d", r.Offset, uint64(len(firmwareChunk)))
@@ -66,7 +65,7 @@ func TestFindBIOSDirectoryTable(t *testing.T) {
 }
 
 func TestBiosDirectoryTableParsing(t *testing.T) {
-	table, readBytes, err := ParseBIOSDirectoryTable(bytes.NewBuffer(append(biosDirectoryTableDataChunk, 0xff)))
+	table, readBytes, err := ParseBIOSDirectoryTable(append(biosDirectoryTableDataChunk, 0xff))
 	if err != nil {
 		t.Fatalf("Failed to parse BIOS Directory table, err: %v", err)
 	}
@@ -121,3 +120,19 @@ func TestBiosDirectoryTableParsing(t *testing.T) {
 			table.Entries[0].DestinationAddress)
 	}
 }
+
+func TestBrokenTotalEntriesBiosDirectoryParsing(t *testing.T) {
+	biosDirectoryTableData := make([]byte, len(biosDirectoryTableDataChunk))
+	copy(biosDirectoryTableData, biosDirectoryTableDataChunk)
+
+	// 8 is offset of TotalEntries field
+	biosDirectoryTableData[8] = 0xff
+	biosDirectoryTableData[9] = 0xff
+	biosDirectoryTableData[10] = 0xff
+	biosDirectoryTableData[11] = 0xff
+
+	_, _, err := ParseBIOSDirectoryTable(biosDirectoryTableData)
+	if err == nil {
+		t.Errorf("expected error when parsing incorrect psp directory table contents")
+	}
+}

pkg/amd/manifest/firmware.go

@@ -5,7 +5,6 @@
 package manifest
 
 import (
-	"bytes"
 	"fmt"
 
 	bytes2 "github.com/linuxboot/fiano/pkg/bytes"
@@ -72,7 +71,7 @@ func parsePSPFirmware(firmware Firmware) (*PSPFirmware, error) {
 	var pspDirectoryLevel1Range bytes2.Range
 	if efs.PSPDirectoryTablePointer != 0 && efs.PSPDirectoryTablePointer < uint32(len(image)) {
 		var length uint64
-		pspDirectoryLevel1, length, err = ParsePSPDirectoryTable(bytes.NewBuffer(image[efs.PSPDirectoryTablePointer:]))
+		pspDirectoryLevel1, length, err = ParsePSPDirectoryTable(image[efs.PSPDirectoryTablePointer:])
 		if err == nil {
 			pspDirectoryLevel1Range.Offset = uint64(efs.PSPDirectoryTablePointer)
 			pspDirectoryLevel1Range.Length = length
@@ -90,7 +89,7 @@ func parsePSPFirmware(firmware Firmware) (*PSPFirmware, error) {
 				continue
 			}
 			if entry.LocationOrValue != 0 && entry.LocationOrValue < uint64(len(image)) {
-				pspDirectoryLevel2, length, err := ParsePSPDirectoryTable(bytes.NewBuffer(image[entry.LocationOrValue:]))
+				pspDirectoryLevel2, length, err := ParsePSPDirectoryTable(image[entry.LocationOrValue:])
 				if err == nil {
 					result.PSPDirectoryLevel2 = pspDirectoryLevel2
 					result.PSPDirectoryLevel2Range.Offset = entry.LocationOrValue
@@ -115,7 +114,7 @@ func parsePSPFirmware(firmware Firmware) (*PSPFirmware, error) {
 			continue
 		}
 		var length uint64
-		biosDirectoryLevel1, length, err = ParseBIOSDirectoryTable(bytes.NewBuffer(image[offset:]))
+		biosDirectoryLevel1, length, err = ParseBIOSDirectoryTable(image[offset:])
 		if err != nil {
 			continue
 		}
@@ -137,7 +136,7 @@ func parsePSPFirmware(firmware Firmware) (*PSPFirmware, error) {
 				continue
 			}
 			if entry.SourceAddress != 0 && entry.SourceAddress < uint64(len(image)) {
-				biosDirectoryLevel2, length, err := ParseBIOSDirectoryTable(bytes.NewBuffer(image[entry.SourceAddress:]))
+				biosDirectoryLevel2, length, err := ParseBIOSDirectoryTable(image[entry.SourceAddress:])
 				if err == nil {
 					result.BIOSDirectoryLevel2 = biosDirectoryLevel2
 					result.BIOSDirectoryLevel2Range.Offset = entry.SourceAddress

pkg/amd/manifest/psp_directory_table.go

@@ -44,6 +44,8 @@ type PSPDirectoryTableEntry struct {
 	LocationOrValue uint64
 }
 
+const PSPDirectoryTableEntrySize = 16
+
 // PSPDirectoryTableHeader represents a BIOS Directory Table Header
 // Tables 3&4 from (1)
 type PSPDirectoryTableHeader struct {
@@ -101,7 +103,7 @@ func FindPSPDirectoryTable(image []byte) (*PSPDirectoryTable, bytes2.Range, erro
 			break
 		}
 
-		table, length, err := ParsePSPDirectoryTable(bytes.NewBuffer(image[idx:]))
+		table, length, err := ParsePSPDirectoryTable(image[idx:])
 		if err != nil {
 			shift := uint64(idx + len(cookieBytes))
 			image = image[idx+len(cookieBytes):]
@@ -110,21 +112,21 @@ func FindPSPDirectoryTable(image []byte) (*PSPDirectoryTable, bytes2.Range, erro
 		}
 		return table, bytes2.Range{Offset: offset + uint64(idx), Length: length}, err
 	}
-	return nil, bytes2.Range{}, fmt.Errorf("EmbeddedFirmwareStructure is not found")
+	return nil, bytes2.Range{}, fmt.Errorf("PSPDirectoryTable is not found")
 }
 
 // ParsePSPDirectoryTable converts input bytes into PSPDirectoryTable
-func ParsePSPDirectoryTable(r io.Reader) (*PSPDirectoryTable, uint64, error) {
+func ParsePSPDirectoryTable(data []byte) (*PSPDirectoryTable, uint64, error) {
 	var table PSPDirectoryTable
 	var totalLength uint64
 
+	r := bytes.NewBuffer(data)
 	if err := readAndCountSize(r, binary.LittleEndian, &table.PSPCookie, &totalLength); err != nil {
 		return nil, 0, err
 	}
 	if table.PSPCookie != PSPDirectoryTableCookie && table.PSPCookie != PSPDirectoryTableLevel2Cookie {
 		return nil, 0, fmt.Errorf("incorrect cookie: %d", table.PSPCookie)
 	}
-
 	if err := readAndCountSize(r, binary.LittleEndian, &table.Checksum, &totalLength); err != nil {
 		return nil, 0, err
 	}
@@ -135,6 +137,11 @@ func ParsePSPDirectoryTable(r io.Reader) (*PSPDirectoryTable, uint64, error) {
 		return nil, 0, err
 	}
 
+	sizeRequired := uint64(table.TotalEntries) * PSPDirectoryTableEntrySize
+	if uint64(r.Len()) < sizeRequired {
+		return nil, 0, fmt.Errorf("not enough data, required: %d, actual: %d", sizeRequired+totalLength, len(data))
+	}
+
 	for idx := uint32(0); idx < table.TotalEntries; idx++ {
 		entry, length, err := ParsePSPDirectoryTableEntry(r)
 		if err != nil {

pkg/amd/manifest/psp_directory_table_test.go

@@ -5,7 +5,6 @@
 package manifest
 
 import (
-	"bytes"
 	"encoding/binary"
 	"testing"
 )
@@ -64,7 +63,7 @@ func TestFindPSPDirectoryTable(t *testing.T) {
 }
 
 func TestPspDirectoryTableParsing(t *testing.T) {
-	table, length, err := ParsePSPDirectoryTable(bytes.NewBuffer(append(pspDirectoryTableDataChunk, 0xff)))
+	table, length, err := ParsePSPDirectoryTable(append(pspDirectoryTableDataChunk, 0xff))
 	if err != nil {
 		t.Fatalf("Failed to parse PSP Directory table, err: %v", err)
 	}
@@ -95,3 +94,19 @@ func TestPspDirectoryTableParsing(t *testing.T) {
 		t.Errorf("Table entry [0] location is incorrect: %d, expected: 0x62400", table.Entries[0].LocationOrValue)
 	}
 }
+
+func TestBrokenTotalEntriesPspDirectoryParsing(t *testing.T) {
+	pspDirectoryTableData := make([]byte, len(pspDirectoryTableDataChunk))
+	copy(pspDirectoryTableData, pspDirectoryTableDataChunk)
+
+	// 8 is offset of TotalEntries field
+	pspDirectoryTableData[8] = 0xff
+	pspDirectoryTableData[9] = 0xff
+	pspDirectoryTableData[10] = 0xff
+	pspDirectoryTableData[11] = 0xff
+
+	_, _, err := ParsePSPDirectoryTable(pspDirectoryTableData)
+	if err == nil {
+		t.Errorf("expected error when parsing incorrect psp directory table contents")
+	}
+}