Fenrir fixes

hal/hal.c

@@ -190,7 +190,7 @@ int hal_flash_test_unaligned_src(void)
     ptr = (uint8_t*)(uintptr_t)src;
     ptr++;
 
-    for (i = 0; i < sizeof(src); i++) {
+    for (i = 0; i < sizeof(src) - 1; i++) {
         ptr[i] = i & 0xff;
     }
 

hal/stm32h5.c

@@ -377,7 +377,7 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
     start_address = address;
 #endif
 
-    end_address = start_address + len - 1;
+    end_address = start_address + len;
     for (p = start_address; p < end_address; p += FLASH_PAGE_SIZE) {
         uint32_t reg;
         uint32_t base;

hal/stm32l5.c

@@ -255,7 +255,7 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
     if (address < ARCH_FLASH_OFFSET)
         return -1;
 
-    end_address = address + len - 1;
+    end_address = address + len;
     for (p = address; p < end_address; p += FLASH_PAGE_SIZE) {
         uint32_t reg;
         uint32_t base;

hal/stm32u5.c

@@ -186,7 +186,7 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
     if (address < ARCH_FLASH_OFFSET)
         return -1;
 
-    end_address = address + len - 1;
+    end_address = address + len;
     for (p = address; p < end_address; p += FLASH_PAGE_SIZE) {
         uint32_t reg;
         uint32_t base;

src/arm_tee_psa_ipc.c

@@ -389,6 +389,10 @@ static psa_status_t wolfboot_crypto_dispatch(const psa_invec *in_vec,
         if (in_len < 3 || out_vec == NULL || out_len < 1) {
             return PSA_ERROR_INVALID_ARGUMENT;
         }
+        if (in_vec[1].base == NULL ||
+            in_vec[1].len < sizeof(psa_key_attributes_t)) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
         {
             psa_key_attributes_t attr = *(const psa_key_attributes_t *)in_vec[1].base;
             /* Fallback to volatile storage if persistent storage is unavailable. */
@@ -405,6 +409,10 @@ static psa_status_t wolfboot_crypto_dispatch(const psa_invec *in_vec,
         if (in_len < 2 || out_vec == NULL || out_len < 1) {
             return PSA_ERROR_INVALID_ARGUMENT;
         }
+        if (in_vec[1].base == NULL ||
+            in_vec[1].len < sizeof(psa_key_attributes_t)) {
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
         {
             psa_key_attributes_t attr = *(const psa_key_attributes_t *)in_vec[1].base;
             /* Fallback to volatile storage if persistent storage is unavailable. */
@@ -479,7 +487,9 @@ static psa_status_t wolfboot_crypto_dispatch(const psa_invec *in_vec,
         struct wolfboot_hash_slot *slot;
         uint32_t handle = 0;
         psa_status_t status;
-        if (out_vec == NULL || out_len < 1) {
+        if (out_vec == NULL || out_len < 1 ||
+            out_vec[0].base == NULL ||
+            out_vec[0].len < sizeof(uint32_t)) {
             return PSA_ERROR_INVALID_ARGUMENT;
         }
         slot = wolfboot_hash_alloc(&handle);
@@ -515,7 +525,9 @@ static psa_status_t wolfboot_crypto_dispatch(const psa_invec *in_vec,
         struct wolfboot_hash_slot *dst_slot;
         uint32_t handle = 0;
         psa_status_t status;
-        if (out_vec == NULL || out_len < 1) {
+        if (out_vec == NULL || out_len < 1 ||
+            out_vec[0].base == NULL ||
+            out_vec[0].len < sizeof(uint32_t)) {
             return PSA_ERROR_INVALID_ARGUMENT;
         }
         src_slot = wolfboot_hash_find(iov->op_handle);
@@ -540,7 +552,10 @@ static psa_status_t wolfboot_crypto_dispatch(const psa_invec *in_vec,
         struct wolfboot_hash_slot *slot;
         size_t hash_len = 0;
         psa_status_t status;
-        if (out_vec == NULL || out_len < 2) {
+        if (out_vec == NULL || out_len < 2 ||
+            out_vec[0].base == NULL ||
+            out_vec[0].len < sizeof(uint32_t) ||
+            out_vec[1].base == NULL) {
             return PSA_ERROR_INVALID_ARGUMENT;
         }
         slot = wolfboot_hash_find(iov->op_handle);
@@ -562,7 +577,9 @@ static psa_status_t wolfboot_crypto_dispatch(const psa_invec *in_vec,
 
     case ARM_TEE_CRYPTO_HASH_ABORT_SID: {
         struct wolfboot_hash_slot *slot;
-        if (out_vec == NULL || out_len < 1) {
+        if (out_vec == NULL || out_len < 1 ||
+            out_vec[0].base == NULL ||
+            out_vec[0].len < sizeof(uint32_t)) {
             return PSA_ERROR_INVALID_ARGUMENT;
         }
         slot = wolfboot_hash_find(iov->op_handle);
@@ -582,7 +599,9 @@ static psa_status_t wolfboot_crypto_dispatch(const psa_invec *in_vec,
         struct wolfboot_cipher_slot *slot;
         uint32_t handle = 0;
         psa_status_t status;
-        if (out_vec == NULL || out_len < 1) {
+        if (out_vec == NULL || out_len < 1 ||
+            out_vec[0].base == NULL ||
+            out_vec[0].len < sizeof(uint32_t)) {
             return PSA_ERROR_INVALID_ARGUMENT;
         }
         slot = wolfboot_cipher_alloc(&handle);

src/flash_otp_keystore.c

@@ -50,7 +50,7 @@ static uint8_t otp_slot_item_cache[SIZEOF_KEYSTORE_SLOT];
 uint8_t *keystore_get_buffer(int id)
 {
     struct keystore_slot *slot;
-    if (id >= keystore_num_pubkeys())
+    if (id < 0 || id >= keystore_num_pubkeys())
         return (uint8_t *)0;
     if (hal_flash_otp_read(FLASH_OTP_BASE +
                 OTP_HDR_SIZE + id * SIZEOF_KEYSTORE_SLOT, otp_slot_item_cache,
@@ -63,7 +63,7 @@ uint8_t *keystore_get_buffer(int id)
 int keystore_get_size(int id)
 {
     struct keystore_slot *slot;
-    if (id >= keystore_num_pubkeys())
+    if (id < 0 || id >= keystore_num_pubkeys())
         return -1;
     if (hal_flash_otp_read(FLASH_OTP_BASE +
                 OTP_HDR_SIZE + id * SIZEOF_KEYSTORE_SLOT, otp_slot_item_cache,
@@ -76,7 +76,7 @@ int keystore_get_size(int id)
 uint32_t keystore_get_mask(int id)
 {
     struct keystore_slot *slot;
-    if (id >= keystore_num_pubkeys())
+    if (id < 0 || id >= keystore_num_pubkeys())
         return 0;
     if (hal_flash_otp_read(FLASH_OTP_BASE +
                 OTP_HDR_SIZE + id * SIZEOF_KEYSTORE_SLOT, otp_slot_item_cache,
@@ -89,7 +89,7 @@ uint32_t keystore_get_mask(int id)
 uint32_t keystore_get_key_type(int id)
 {
     struct keystore_slot *slot;
-    if (id >= keystore_num_pubkeys())
+    if (id < 0 || id >= keystore_num_pubkeys())
         return -1;
     if (hal_flash_otp_read(FLASH_OTP_BASE +
                 OTP_HDR_SIZE + id * SIZEOF_KEYSTORE_SLOT, otp_slot_item_cache,

src/libwolfboot.c

@@ -376,6 +376,8 @@ static int RAMFUNCTION trailer_write(uint8_t part, uintptr_t addr, uint8_t val)
 #else
     ret = hal_flash_write(addr_write, NVM_CACHE, NVM_CACHE_SIZE);
 #endif
+    if (ret != 0)
+        return ret;
 
     /* Once a copy has been written, erase the older sector */
     ret = hal_flash_erase(addr_read, NVM_CACHE_SIZE);
@@ -1134,7 +1136,7 @@ uint32_t wolfBoot_get_blob_version(uint8_t *blob)
     if (*magic != WOLFBOOT_MAGIC)
         return 0;
     if (wolfBoot_find_header(img_bin + IMAGE_HEADER_OFFSET, HDR_VERSION,
-            (void *)&version_field) == 0)
+            (void *)&version_field) != sizeof(uint32_t))
         return 0;
     if (version_field)
         return im2n(*version_field);
@@ -1167,7 +1169,7 @@ uint16_t wolfBoot_get_blob_type(uint8_t *blob)
     if (*magic != WOLFBOOT_MAGIC)
         return 0;
     if (wolfBoot_find_header(img_bin + IMAGE_HEADER_OFFSET, HDR_IMG_TYPE,
-            (void *)&type_field) == 0)
+            (void *)&type_field) != sizeof(uint16_t))
         return 0;
     if (type_field)
         return im2ns(*type_field);
@@ -1204,7 +1206,7 @@ uint32_t wolfBoot_get_blob_diffbase_version(uint8_t *blob)
     if (*magic != WOLFBOOT_MAGIC)
         return 0;
     if (wolfBoot_find_header(img_bin + IMAGE_HEADER_OFFSET, HDR_IMG_DELTA_BASE,
-            (void *)&delta_base) == 0)
+            (void *)&delta_base) != sizeof(uint32_t))
         return 0;
     if (delta_base)
         return im2n(*delta_base);

src/update_flash_hwswap.c

@@ -51,7 +51,7 @@ void RAMFUNCTION wolfBoot_start(void)
     int update_v_raw = (int)wolfBoot_update_firmware_version();
     uint32_t boot_v = 0U;
     uint32_t update_v = 0U;
-    uint32_t max_v = (boot_v > update_v) ? boot_v : update_v;
+    uint32_t max_v;
 
     if (boot_v_raw >= 0)
         boot_v = (uint32_t)boot_v_raw;

tools/keytools/sign.c

@@ -2361,7 +2361,7 @@ static int base_diff(const char *f_base, uint8_t *pubkey, uint32_t pubkey_sz, in
         goto cleanup;
     }
 #else
-    f1 = fopen(f_base, "wb");
+    f1 = fopen(f_base, "rb");
     if (f1 == NULL) {
         printf("Cannot open file %s\n", f_base);
         goto cleanup;
@@ -2371,7 +2371,7 @@ static int base_diff(const char *f_base, uint8_t *pubkey, uint32_t pubkey_sz, in
         fprintf(stderr, "Error malloc for base %d\n", len1);
         goto cleanup;
     }
-    if (len1 != (int)fread(base, len1, 1, f1)) {
+    if ((int)fread(base, 1, len1, f1) != len1) {
         perror("read of base");
         goto cleanup;
     }
@@ -2455,7 +2455,7 @@ static int base_diff(const char *f_base, uint8_t *pubkey, uint32_t pubkey_sz, in
         fprintf(stderr, "Error malloc for buffer %d\n", len2);
         goto cleanup;
     }
-    if (len2 != (int)fread(buffer, len2, 1, f2)) {
+    if ((int)fread(buffer, 1, len2, f2) != len2) {
         perror("fread of buffer");
         goto cleanup;
     }
@@ -2488,7 +2488,7 @@ static int base_diff(const char *f_base, uint8_t *pubkey, uint32_t pubkey_sz, in
 #if HAVE_MMAP
         io_sz = write(fd3, dest, r);
 #else
-        io_sz = (int)fwrite(dest, r, 1, f3);
+        io_sz = (int)fwrite(dest, 1, r, f3);
 #endif
         if (io_sz != r) {
             goto cleanup;
@@ -2522,7 +2522,7 @@ static int base_diff(const char *f_base, uint8_t *pubkey, uint32_t pubkey_sz, in
 #if HAVE_MMAP
         io_sz = write(fd3, dest, r);
 #else
-        io_sz = (int)fwrite(dest, r, 1, f3);
+        io_sz = (int)fwrite(dest, 1, r, f3);
 #endif
         if (io_sz != r) {
             goto cleanup;

tools/unit-tests/unit-update-disk.c

@@ -63,6 +63,10 @@ static void build_image(uint8_t *image, uint32_t version, uint8_t fill)
     memset(image + IMAGE_HEADER_SIZE, fill, TEST_PAYLOAD_SIZE);
 }
 
+static int mock_flash_protect_called;
+static haladdr_t mock_flash_protect_addr;
+static int mock_flash_protect_len;
+
 static void reset_mocks(void)
 {
     memset(load_buffer, 0, sizeof(load_buffer));
@@ -75,6 +79,9 @@ static void reset_mocks(void)
     mock_do_boot_called = 0;
     mock_boot_address = NULL;
     mock_fail_payload_part = -1;
+    mock_flash_protect_called = 0;
+    mock_flash_protect_addr = 0;
+    mock_flash_protect_len = 0;
     wolfBoot_panicked = 0;
 }
 
@@ -199,8 +206,9 @@ void do_boot(const uint32_t *address)
 
 int hal_flash_protect(haladdr_t address, int len)
 {
-    (void)address;
-    (void)len;
+    mock_flash_protect_called++;
+    mock_flash_protect_addr = address;
+    mock_flash_protect_len = len;
     return 0;
 }
 
@@ -237,6 +245,12 @@ START_TEST(test_update_disk_zeroizes_key_material_before_boot)
     ck_assert_int_eq(mock_disk_close_called, 1);
     ck_assert_int_eq(mock_do_boot_called, 1);
     ck_assert_ptr_eq(mock_boot_address, (const uint32_t *)WOLFBOOT_LOAD_ADDRESS);
+#ifndef TZEN
+    ck_assert_int_eq(mock_flash_protect_called, 1);
+    ck_assert_uint_eq((uintptr_t)mock_flash_protect_addr,
+        (uintptr_t)WOLFBOOT_ORIGIN);
+    ck_assert_int_eq(mock_flash_protect_len, BOOTLOADER_PARTITION_SIZE);
+#endif
     for (i = 0; i < ENCRYPT_KEY_SIZE; i++) {
         ck_assert_uint_eq(disk_encrypt_key[i], 0);
     }

tools/unit-tests/unit-update-flash.c

@@ -207,10 +207,15 @@ void do_boot(const uint32_t *address)
     printf("Called do_boot with address %p\n", address);
 }
 
+static int mock_flash_protect_called = 0;
+static haladdr_t mock_flash_protect_addr = 0;
+static int mock_flash_protect_len = 0;
+
 int hal_flash_protect(haladdr_t address, int len)
 {
-    (void)address;
-    (void)len;
+    mock_flash_protect_called++;
+    mock_flash_protect_addr = address;
+    mock_flash_protect_len = len;
     return 0;
 }
 
@@ -251,6 +256,9 @@ static void reset_mock_stats(void)
 #ifdef WOLFBOOT_HOOK_BOOT
     mock_hook_corrupt_signature = 0;
 #endif
+    mock_flash_protect_called = 0;
+    mock_flash_protect_addr = 0;
+    mock_flash_protect_len = 0;
 }
 
 static void clear_erase_stats(void)
@@ -724,6 +732,12 @@ START_TEST (test_sunnyday_noupdate)
     ck_assert(!wolfBoot_panicked);
     ck_assert(wolfBoot_staged_ok);
     ck_assert(wolfBoot_current_firmware_version() == 1);
+#ifndef TZEN
+    ck_assert_int_eq(mock_flash_protect_called, 1);
+    ck_assert_uint_eq((uintptr_t)mock_flash_protect_addr,
+        (uintptr_t)WOLFBOOT_ORIGIN);
+    ck_assert_int_eq(mock_flash_protect_len, BOOTLOADER_PARTITION_SIZE);
+#endif
     cleanup_flash();
 
 }

tools/unit-tests/unit-update-ram-nofixed.c

@@ -86,10 +86,15 @@ void do_boot(const uint32_t *address)
     ck_assert_int_eq(wolfBoot_verify_integrity(&boot_image), 0);
 }
 
+static int mock_flash_protect_called = 0;
+static haladdr_t mock_flash_protect_addr = 0;
+static int mock_flash_protect_len = 0;
+
 int hal_flash_protect(haladdr_t address, int len)
 {
-    (void)address;
-    (void)len;
+    mock_flash_protect_called++;
+    mock_flash_protect_addr = address;
+    mock_flash_protect_len = len;
     return 0;
 }
 
@@ -98,6 +103,9 @@ static void reset_mock_stats(void)
     wolfBoot_panicked = 0;
     wolfBoot_staged_ok = 0;
     dualboot_candidate_addr_calls = 0;
+    mock_flash_protect_called = 0;
+    mock_flash_protect_addr = 0;
+    mock_flash_protect_len = 0;
 }
 
 static void prepare_flash(void)
@@ -213,6 +221,12 @@ START_TEST(test_invalid_update_falls_back_to_boot)
     ck_assert_int_eq(wolfBoot_staged_ok, 1);
     ck_assert_int_eq(wolfBoot_panicked, 0);
     ck_assert_uint_eq((uintptr_t)wolfBoot_stage_address, WOLFBOOT_LOAD_ADDRESS);
+#ifndef TZEN
+    ck_assert_int_eq(mock_flash_protect_called, 1);
+    ck_assert_uint_eq((uintptr_t)mock_flash_protect_addr,
+        (uintptr_t)WOLFBOOT_ORIGIN);
+    ck_assert_int_eq(mock_flash_protect_len, BOOTLOADER_PARTITION_SIZE);
+#endif
     cleanup_flash();
 }
 END_TEST