From fbf6555790ad6de635ebf9e5581c840496166306 Mon Sep 17 00:00:00 2001 From: Jaiprakash Singh Date: Sat, 28 Dec 2024 23:10:16 -0800 Subject: [PATCH] fix(tools): change data type to size_t for doimage In image_encrypt function, vulnerability arises due to a mismatch between unsigned and signed integer types. When a large unsigned integer is returned by strlen and stored into signed integer k, the value represented is a large negative integer. This bypasses the subsequent check against AES_BLOCK_SZ and allows a buffer overflow to happen at memcpy. Similar, vulnerability issue is fixed in function verify_and_copy_file_name_entry. Change-Id: I658521c1eec1c79933ba8082ba507df04d174e52 Signed-off-by: Jaiprakash Singh --- tools/marvell/doimage/doimage.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/tools/marvell/doimage/doimage.c b/tools/marvell/doimage/doimage.c index 1f0985c4a..12e1327ec 100644 --- a/tools/marvell/doimage/doimage.c +++ b/tools/marvell/doimage/doimage.c @@ -421,7 +421,7 @@ int image_encrypt(uint8_t *buf, uint32_t blen) char *ptmp = (char *)&tv; unsigned char digest[32]; unsigned char IV[AES_BLOCK_SZ]; - int i, k; + size_t i, k; mbedtls_aes_context aes_ctx; int rval = -1; uint8_t *test_img = 0; @@ -516,7 +516,8 @@ int image_encrypt(uint8_t *buf, uint32_t blen) for (i = 0; i < blen; i++) { if (buf[i] != test_img[i]) { fprintf(stderr, "Failed to compare the image after"); - fprintf(stderr, " decryption! Byte count is %d\n", i); + fprintf(stderr, " decryption! Byte count is %lu\n", + (unsigned long)i); rval = -1; goto encrypt_exit; } @@ -614,11 +615,11 @@ ver_error: int verify_and_copy_file_name_entry(const char *element_name, const char *element, char *copy_to) { - int element_length = strlen(element); + size_t element_length = strlen(element); if (element_length >= MAX_FILENAME) { - fprintf(stderr, "The file name %s for %s is too long (%d). ", - element, element_name, element_length); + fprintf(stderr, "The file name %s for %s is too long (%lu). ", + element, element_name, (unsigned long)element_length); fprintf(stderr, "Maximum allowed %d characters!\n", MAX_FILENAME); return -1;