Reject oversized delta source offsets

F/2267

Author: danielinux

src/delta.c

@@ -40,6 +40,7 @@ struct BLOCK_HDR_PACKED block_hdr {
 };
 
 #define BLOCK_HDR_SIZE (sizeof (struct block_hdr))
+#define BLOCK_OFF_MAX 0xFFFFFFU
 
 #if defined(EXT_ENCRYPTED) && defined(__WOLFBOOT)
 #include "image.h"
@@ -300,6 +301,8 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
                  */
                 match_len = BLOCK_HDR_SIZE;
                 blk_start = pa - ctx->src_a;
+                if (blk_start > BLOCK_OFF_MAX)
+                    return -1;
                 b_start = ctx->off_b;
                 pa+= BLOCK_HDR_SIZE;
                 ctx->off_b += BLOCK_HDR_SIZE;
@@ -362,6 +365,8 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
                      */
                     match_len = BLOCK_HDR_SIZE;
                     blk_start = pb - ctx->src_b;
+                    if (blk_start > BLOCK_OFF_MAX)
+                        return -1;
                     pb+= BLOCK_HDR_SIZE;
                     ctx->off_b += BLOCK_HDR_SIZE;
                     while ((pb < pb_limit) &&

tools/delta/bmdiff.c

@@ -97,6 +97,10 @@ int main(int argc, char *argv[])
         exit(3);
     }
     len2 = st.st_size;
+    if (len2 > MAX_SRC_SIZE) {
+        printf("%s: file too large\n", argv[2]);
+        exit(3);
+    }
     buffer = mmap(NULL, len2, PROT_READ, MAP_SHARED, fd2, 0);
     if (buffer == (void *)(-1)) {
         perror("mmap");

tools/keytools/sign.c

@@ -2241,6 +2241,10 @@ static int base_diff(const char *f_base, uint8_t *pubkey, uint32_t pubkey_sz, in
         goto cleanup;
     }
     len2 = st.st_size;
+    if (len2 > MAX_SRC_SIZE) {
+        printf("%s: file too large\n", CMD.output_image_file);
+        goto cleanup;
+    }
     buffer = mmap(NULL, len2, PROT_READ, MAP_SHARED, fd2, 0);
     if (buffer == (void *)(-1)) {
         perror("mmap");
@@ -2276,6 +2280,10 @@ static int base_diff(const char *f_base, uint8_t *pubkey, uint32_t pubkey_sz, in
     fseek(f2, 0L, SEEK_END);
     len2 = ftell(f2);
     fseek(f2, 0L, SEEK_SET);
+    if (len2 > MAX_SRC_SIZE) {
+        printf("%s: file too large\n", CMD.output_image_file);
+        goto cleanup;
+    }
     buffer = malloc(len2);
     if (buffer == NULL) {
         fprintf(stderr, "Error malloc for buffer %d\n", len2);

tools/unit-tests/unit-delta.c

@@ -34,6 +34,7 @@
 #define PATCH_SIZE 8192
 #define DST_SIZE 4096
 #define DIFF_SIZE 8192
+#define DELTA_OFFSET_LIMIT (1U << 24)
 
 
 START_TEST(test_wb_patch_init_invalid)
@@ -238,6 +239,31 @@ START_TEST(test_wb_diff_preserves_main_loop_header_margin_for_escape)
 }
 END_TEST
 
+START_TEST(test_wb_diff_rejects_match_offsets_beyond_24_bits)
+{
+    WB_DIFF_CTX diff_ctx;
+    uint8_t *src_a;
+    uint8_t src_b[BLOCK_HDR_SIZE + 1] = {0};
+    uint8_t patch[DELTA_BLOCK_SIZE] = {0};
+    size_t src_a_size = DELTA_OFFSET_LIMIT + BLOCK_HDR_SIZE;
+    int ret;
+
+    src_a = calloc(1, src_a_size);
+    ck_assert_ptr_nonnull(src_a);
+
+    memset(src_a + DELTA_OFFSET_LIMIT, 0x5a, BLOCK_HDR_SIZE);
+    memset(src_b, 0x5a, BLOCK_HDR_SIZE);
+
+    ret = wb_diff_init(&diff_ctx, src_a, src_a_size, src_b, sizeof(src_b));
+    ck_assert_int_eq(ret, 0);
+
+    ret = wb_diff(&diff_ctx, patch, sizeof(patch));
+    ck_assert_int_eq(ret, -1);
+
+    free(src_a);
+}
+END_TEST
+
 static void initialize_buffers(uint8_t *src_a, uint8_t *src_b, size_t size)
 {
     uint32_t pseudo_rand = 0;
@@ -348,6 +374,7 @@ Suite *patch_diff_suite(void)
     tcase_add_test(tc_wolfboot_delta, test_wb_diff_self_match_extends_to_src_b_end);
     tcase_add_test(tc_wolfboot_delta, test_wb_diff_preserves_trailing_header_margin_for_escape);
     tcase_add_test(tc_wolfboot_delta, test_wb_diff_preserves_main_loop_header_margin_for_escape);
+    tcase_add_test(tc_wolfboot_delta, test_wb_diff_rejects_match_offsets_beyond_24_bits);
     tcase_add_test(tc_wolfboot_delta, test_wb_patch_and_diff);
     suite_add_tcase(s, tc_wolfboot_delta);