Skip to content

Commit

Permalink
libckteec: fix null pointer dereference on template serialization
Browse files Browse the repository at this point in the history 
Fix potential null-pointer dereference on serialize_mecha_XXX()
by checking every pointer value in under CK_MECHANISM_PTR.

Link: #388
Signed-off-by: Hoyong Jin <[email protected]>
Reviewed-by: Etienne Carriere <[email protected]>
  • Loading branch information
@hoyong2007
hoyong2007 committed Oct 14, 2024
1 parent d221676 commit d1cc179
Showing 1 changed file with 49 additions and 7 deletions.
56 changes: 49 additions & 7 deletions libckteec/src/serialize_ck.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -393,6 +393,9 @@ static CK_RV serialize_mecha_aes_ctr(struct serializer *obj,
CK_RV rv = CKR_GENERAL_ERROR;
uint32_t size = 0;

if (!param)
return CKR_MECHANISM_PARAM_INVALID;

rv = serialize_32b(obj, obj->type);
if (rv)
return rv;
Expand Down Expand Up @@ -420,13 +423,13 @@ static CK_RV serialize_mecha_aes_gcm(struct serializer *obj,
CK_RV rv = CKR_GENERAL_ERROR;
CK_ULONG aad_len = 0;

if (!param || !param->pIv)
return CKR_MECHANISM_PARAM_INVALID;

/* AAD is not manadatory */
if (param->pAAD)
aad_len = param->ulAADLen;

if (!param->pIv)
return CKR_MECHANISM_PARAM_INVALID;

rv = serialize_32b(obj, obj->type);
if (rv)
return rv;
Expand Down Expand Up @@ -461,6 +464,9 @@ static CK_RV serialize_mecha_aes_iv(struct serializer *obj,
uint32_t iv_size = mecha->ulParameterLen;
CK_RV rv = CKR_GENERAL_ERROR;

if (iv_size && !mecha->pParameter)
return CKR_MECHANISM_PARAM_INVALID;

rv = serialize_32b(obj, obj->type);
if (rv)
return rv;
Expand All @@ -479,6 +485,9 @@ static CK_RV serialize_mecha_key_deriv_str(struct serializer *obj,
CK_RV rv = CKR_GENERAL_ERROR;
uint32_t size = 0;

if (!param || (param->ulLen && !param->pData))
return CKR_MECHANISM_PARAM_INVALID;

rv = serialize_32b(obj, obj->type);
if (rv)
return rv;
Expand All @@ -500,7 +509,14 @@ static CK_RV serialize_mecha_ecdh1_derive_param(struct serializer *obj,
{
CK_ECDH1_DERIVE_PARAMS *params = mecha->pParameter;
CK_RV rv = CKR_GENERAL_ERROR;
size_t params_size = 3 * sizeof(uint32_t) + params->ulSharedDataLen +
size_t params_size = 0;

if (!params ||
(params->ulSharedDataLen && !params->pSharedData) ||
(params->ulPublicDataLen && !params->pPublicData))
return CKR_MECHANISM_PARAM_INVALID;

params_size = 3 * sizeof(uint32_t) + params->ulSharedDataLen +
params->ulPublicDataLen;

rv = serialize_32b(obj, obj->type);
Expand Down Expand Up @@ -539,6 +555,9 @@ static CK_RV serialize_mecha_aes_cbc_encrypt_data(struct serializer *obj,
CK_RV rv = CKR_GENERAL_ERROR;
uint32_t size = 0;

if (!param || (param->length && !param->pData))
return CKR_MECHANISM_PARAM_INVALID;

rv = serialize_32b(obj, obj->type);
if (rv)
return rv;
Expand Down Expand Up @@ -566,6 +585,9 @@ static CK_RV serialize_mecha_rsa_pss_param(struct serializer *obj,
CK_RV rv = CKR_GENERAL_ERROR;
uint32_t params_size = 3 * sizeof(uint32_t);

if (!params)
return CKR_MECHANISM_PARAM_INVALID;

if (mecha->ulParameterLen != sizeof(*params))
return CKR_ARGUMENTS_BAD;

Expand Down Expand Up @@ -593,7 +615,12 @@ static CK_RV serialize_mecha_rsa_oaep_param(struct serializer *obj,
{
CK_RSA_PKCS_OAEP_PARAMS *params = mecha->pParameter;
CK_RV rv = CKR_GENERAL_ERROR;
size_t params_size = 4 * sizeof(uint32_t) + params->ulSourceDataLen;
size_t params_size = 0;

if (!params || (params->ulSourceDataLen && !params->pSourceData))
return CKR_MECHANISM_PARAM_INVALID;

params_size = 4 * sizeof(uint32_t) + params->ulSourceDataLen;

if (mecha->ulParameterLen != sizeof(*params))
return CKR_ARGUMENTS_BAD;
Expand Down Expand Up @@ -630,9 +657,18 @@ static CK_RV serialize_mecha_rsa_aes_key_wrap(struct serializer *obj,
CK_MECHANISM_PTR mecha)
{
CK_RSA_AES_KEY_WRAP_PARAMS *params = mecha->pParameter;
CK_RSA_PKCS_OAEP_PARAMS *aes_params = params->pOAEPParams;
CK_RSA_PKCS_OAEP_PARAMS *aes_params = NULL;
CK_RV rv = CKR_GENERAL_ERROR;
size_t params_size = 5 * sizeof(uint32_t) + aes_params->ulSourceDataLen;
size_t params_size = 0;

if (!params || !params->pOAEPParams)
return CKR_MECHANISM_PARAM_INVALID;

aes_params = params->pOAEPParams;
params_size = 5 * sizeof(uint32_t) + aes_params->ulSourceDataLen;

if (aes_params->ulSourceDataLen && !aes_params->pSourceData)
return CKR_MECHANISM_PARAM_INVALID;

if (mecha->ulParameterLen != sizeof(*params))
return CKR_ARGUMENTS_BAD;
Expand Down Expand Up @@ -675,6 +711,9 @@ static CK_RV serialize_mecha_eddsa(struct serializer *obj,
CK_RV rv = CKR_GENERAL_ERROR;
CK_EDDSA_PARAMS *params = mecha->pParameter;

if (!params || (params->ulContextDataLen && !params->pContextData))
return CKR_MECHANISM_PARAM_INVALID;

rv = serialize_32b(obj, obj->type);
if (rv)
return rv;
Expand All @@ -700,6 +739,9 @@ static CK_RV serialize_mecha_mac_general_param(struct serializer *obj,
CK_RV rv = CKR_GENERAL_ERROR;
CK_ULONG ck_data = 0;

if (mecha->ulParameterLen && !mecha->pParameter)
return CKR_MECHANISM_PARAM_INVALID;

if (mecha->ulParameterLen != sizeof(ck_data))
return CKR_ARGUMENTS_BAD;

Expand Down

0 comments on commit d1cc179

Please sign in to comment.