Fix store header search bounds

F/1472

Author: danielinux

src/pkcs11_store.c

@@ -244,7 +244,7 @@ static uint8_t *find_object_buffer(int32_t type, uint32_t tok_id, uint32_t obj_i
 {
     struct obj_hdr *hdr = NODES_TABLE;
     uint32_t *tok_obj_stored = NULL;
-    while ((uintptr_t)hdr < ((uintptr_t)NODES_TABLE + WOLFBOOT_SECTOR_SIZE)) {
+    while ((uintptr_t)hdr < ((uintptr_t)vault_base + WOLFBOOT_SECTOR_SIZE)) {
         if ((hdr->token_id == tok_id) && (hdr->object_id == obj_id)
                 && (hdr->type == type)) {
             tok_obj_stored = (uint32_t *) (vault_base + (2 * WOLFBOOT_SECTOR_SIZE) + (hdr->pos * KEYVAULT_OBJ_SIZE));
@@ -275,7 +275,7 @@ static struct obj_hdr *find_object_header(int32_t type, uint32_t tok_id,
         uint32_t obj_id)
 {
     struct obj_hdr *hdr = NODES_TABLE;
-    while ((uintptr_t)hdr < ((uintptr_t)NODES_TABLE + WOLFBOOT_SECTOR_SIZE)) {
+    while ((uintptr_t)hdr < ((uintptr_t)vault_base + WOLFBOOT_SECTOR_SIZE)) {
         if ((hdr->token_id == tok_id) && (hdr->object_id == obj_id)
                 && (hdr->type == type)) {
             return hdr;

src/psa_store.c

@@ -243,7 +243,7 @@ static uint8_t *find_object_buffer(int32_t type, uint32_t tok_id, uint32_t obj_i
 {
     struct obj_hdr *hdr = NODES_TABLE;
     uint32_t *tok_obj_stored = NULL;
-    while ((uintptr_t)hdr < ((uintptr_t)NODES_TABLE + WOLFBOOT_SECTOR_SIZE)) {
+    while ((uintptr_t)hdr < ((uintptr_t)vault_base + WOLFBOOT_SECTOR_SIZE)) {
         if ((hdr->token_id == tok_id) && (hdr->object_id == obj_id)
                 && (hdr->type == type)) {
             tok_obj_stored = (uint32_t *) (vault_base + (2 * WOLFBOOT_SECTOR_SIZE) + (hdr->pos * KEYVAULT_OBJ_SIZE));
@@ -274,7 +274,7 @@ static struct obj_hdr *find_object_header(int32_t type, uint32_t tok_id,
         uint32_t obj_id)
 {
     struct obj_hdr *hdr = NODES_TABLE;
-    while ((uintptr_t)hdr < ((uintptr_t)NODES_TABLE + WOLFBOOT_SECTOR_SIZE)) {
+    while ((uintptr_t)hdr < ((uintptr_t)vault_base + WOLFBOOT_SECTOR_SIZE)) {
         if ((hdr->token_id == tok_id) && (hdr->object_id == obj_id)
                 && (hdr->type == type)) {
             return hdr;

tools/unit-tests/unit-pkcs11_store.c

@@ -382,6 +382,36 @@ START_TEST(test_delete_object_ignores_metadata_prefix)
 }
 END_TEST
 
+START_TEST(test_find_object_search_stops_at_header_sector)
+{
+    const int32_t type = DYNAMIC_TYPE_RSA;
+    const uint32_t tok_id = 0x11223344U;
+    const uint32_t obj_id = 0x55667788U;
+    struct obj_hdr *backup_hdr;
+    uint32_t *payload_ids;
+    int ret;
+
+    ret = mmap_file("/tmp/wolfboot-unit-keyvault.bin", vault_base,
+            keyvault_size, NULL);
+    ck_assert_int_eq(ret, 0);
+    memset(vault_base, 0xFF, keyvault_size);
+
+    backup_hdr = (struct obj_hdr *)(vault_base + WOLFBOOT_SECTOR_SIZE);
+    backup_hdr->token_id = tok_id;
+    backup_hdr->object_id = obj_id;
+    backup_hdr->type = type;
+    backup_hdr->pos = 0;
+    backup_hdr->size = 2 * sizeof(uint32_t);
+
+    payload_ids = (uint32_t *)(vault_base + 2 * WOLFBOOT_SECTOR_SIZE);
+    payload_ids[0] = tok_id;
+    payload_ids[1] = obj_id;
+
+    ck_assert_ptr_null(find_object_header(type, tok_id, obj_id));
+    ck_assert_ptr_null(find_object_buffer(type, tok_id, obj_id));
+}
+END_TEST
+
 Suite *wolfboot_suite(void)
 {
     /* Suite initialization */
@@ -391,14 +421,17 @@ Suite *wolfboot_suite(void)
     TCase* tcase_cross_sector_write = tcase_create("cross_sector_write");
     TCase* tcase_close = tcase_create("close_state");
     TCase* tcase_delete_object = tcase_create("delete_object");
+    TCase* tcase_find_bounds = tcase_create("find_bounds");
     tcase_add_test(tcase_store_and_load_objs, test_store_and_load_objs);
     tcase_add_test(tcase_cross_sector_write, test_cross_sector_write_preserves_length);
     tcase_add_test(tcase_close, test_close_clears_handle_state);
     tcase_add_test(tcase_delete_object, test_delete_object_ignores_metadata_prefix);
+    tcase_add_test(tcase_find_bounds, test_find_object_search_stops_at_header_sector);
     suite_add_tcase(s, tcase_store_and_load_objs);
     suite_add_tcase(s, tcase_cross_sector_write);
     suite_add_tcase(s, tcase_close);
     suite_add_tcase(s, tcase_delete_object);
+    suite_add_tcase(s, tcase_find_bounds);
     return s;
 }
 

tools/unit-tests/unit-psa_store.c

@@ -154,19 +154,52 @@ START_TEST(test_delete_object_ignores_metadata_prefix)
 }
 END_TEST
 
+START_TEST(test_find_object_search_stops_at_header_sector)
+{
+    enum { type = WOLFPSA_STORE_KEY };
+    const uint32_t tok_id = 0x11223344U;
+    const uint32_t obj_id = 0x55667788U;
+    struct obj_hdr *backup_hdr;
+    uint32_t *payload_ids;
+    int ret;
+
+    ret = mmap_file("/tmp/wolfboot-unit-psa-keyvault.bin", vault_base,
+        keyvault_size, NULL);
+    ck_assert_int_eq(ret, 0);
+    memset(vault_base, 0xFF, keyvault_size);
+
+    backup_hdr = (struct obj_hdr *)(vault_base + WOLFBOOT_SECTOR_SIZE);
+    backup_hdr->token_id = tok_id;
+    backup_hdr->object_id = obj_id;
+    backup_hdr->type = type;
+    backup_hdr->pos = 0;
+    backup_hdr->size = 2 * sizeof(uint32_t);
+
+    payload_ids = (uint32_t *)(vault_base + 2 * WOLFBOOT_SECTOR_SIZE);
+    payload_ids[0] = tok_id;
+    payload_ids[1] = obj_id;
+
+    ck_assert_ptr_null(find_object_header(type, tok_id, obj_id));
+    ck_assert_ptr_null(find_object_buffer(type, tok_id, obj_id));
+}
+END_TEST
+
 Suite *wolfboot_suite(void)
 {
     Suite *s = suite_create("wolfBoot-psa-store");
     TCase *tcase_write = tcase_create("cross_sector_write");
     TCase *tcase_close = tcase_create("close_state");
     TCase *tcase_delete = tcase_create("delete_object");
+    TCase *tcase_find_bounds = tcase_create("find_bounds");
 
     tcase_add_test(tcase_write, test_cross_sector_write_preserves_length);
     tcase_add_test(tcase_close, test_close_clears_handle_state);
     tcase_add_test(tcase_delete, test_delete_object_ignores_metadata_prefix);
+    tcase_add_test(tcase_find_bounds, test_find_object_search_stops_at_header_sector);
     suite_add_tcase(s, tcase_write);
     suite_add_tcase(s, tcase_close);
     suite_add_tcase(s, tcase_delete);
+    suite_add_tcase(s, tcase_find_bounds);
     return s;
 }