SPDM: Avoid potential arithmetic overflow

Signed-off-by: Wei Liu <[email protected]>

Author: liuw1

src/migtd/src/spdm/spdm_req.rs

@@ -249,9 +249,14 @@ async fn send_and_receive_pub_key(spdm_requester: &mut RequesterContext) -> Spdm
         .encode(&mut writer)
         .map_err(|_| SPDM_STATUS_BUFFER_FULL)?;
 
+    let my_pub_key_len = my_pub_key.len();
+    let my_pub_key_len_u16 = match u16::try_from(my_pub_key_len) {
+        Ok(v) => v,
+        Err(_) => return Err(SPDM_STATUS_BUFFER_FULL),
+    };
     let pub_key_element = VdmMessageElement {
         element_type: VdmMessageElementType::PubKeyMy,
-        length: my_pub_key.len() as u16,
+        length: my_pub_key_len_u16,
     };
     cnt += pub_key_element
         .encode(&mut writer)
@@ -347,18 +352,34 @@ async fn send_and_receive_pub_key(spdm_requester: &mut RequesterContext) -> Spdm
         .ok_or(SPDM_STATUS_INVALID_MSG_SIZE)?;
 
     // Provision the public keys to spdm context
+    let my_pub_key_len = my_pub_key.len();
+    let my_pub_key_len_u32 = match u32::try_from(my_pub_key_len) {
+        Ok(v) => v,
+        Err(_) => return Err(SPDM_STATUS_BUFFER_FULL),
+    };
+    if my_pub_key_len > config::MAX_SPDM_CERT_CHAIN_DATA_SIZE {
+        return Err(SPDM_STATUS_BUFFER_FULL);
+    }
     let mut my_pub_key_prov = SpdmCertChainData {
-        data_size: my_pub_key.len() as u32,
+        data_size: my_pub_key_len_u32,
         data: [0u8; config::MAX_SPDM_CERT_CHAIN_DATA_SIZE],
     };
-    my_pub_key_prov.data[..my_pub_key.len()].copy_from_slice(&my_pub_key);
+    my_pub_key_prov.data[..my_pub_key_len].copy_from_slice(&my_pub_key);
     spdm_requester.common.provision_info.my_pub_key = Some(my_pub_key_prov);
 
+    let peer_pub_key_len = peer_pub_key.len();
+    let peer_pub_key_len_u32 = match u32::try_from(peer_pub_key_len) {
+        Ok(v) => v,
+        Err(_) => return Err(SPDM_STATUS_INVALID_MSG_SIZE),
+    };
+    if peer_pub_key_len > config::MAX_SPDM_CERT_CHAIN_DATA_SIZE {
+        return Err(SPDM_STATUS_INVALID_MSG_SIZE);
+    }
     let mut peer_pub_key_prov = SpdmCertChainData {
-        data_size: peer_pub_key.len() as u32,
+        data_size: peer_pub_key_len_u32,
         data: [0u8; config::MAX_SPDM_CERT_CHAIN_DATA_SIZE],
     };
-    peer_pub_key_prov.data[..peer_pub_key.len()].copy_from_slice(peer_pub_key);
+    peer_pub_key_prov.data[..peer_pub_key_len].copy_from_slice(peer_pub_key);
     spdm_requester.common.provision_info.peer_pub_key = Some(peer_pub_key_prov);
 
     let vdm_pub_key_src_hash =

src/migtd/src/spdm/spdm_rsp.rs

@@ -537,26 +537,42 @@ pub fn handle_exchange_mig_attest_info_req(
         .map_err(|_| SPDM_STATUS_BUFFER_FULL)?;
 
     //quote dst
+    let quote_len = quote_dst.len();
+    let quote_len_u16 = match u16::try_from(quote_len) {
+        Ok(v) => v,
+        Err(_) => return Err(SPDM_STATUS_BUFFER_FULL),
+    };
     let quote_element = VdmMessageElement {
         element_type: VdmMessageElementType::QuoteMy,
-        length: quote_dst.len() as u16,
+        length: quote_len_u16,
     };
     cnt += quote_element
         .encode(&mut writer)
         .map_err(|_| SPDM_STATUS_BUFFER_FULL)?;
+    if writer.used().checked_add(quote_len).is_none() {
+        return Err(SPDM_STATUS_BUFFER_FULL);
+    }
     cnt += writer
         .extend_from_slice(quote_dst.as_slice())
         .ok_or(SPDM_STATUS_BUFFER_FULL)?;
 
     //event log dst
     let event_log_dst = get_event_log().ok_or(SPDM_STATUS_INVALID_STATE_LOCAL)?;
+    let event_log_len = event_log_dst.len();
+    let event_log_len_u16 = match u16::try_from(event_log_len) {
+        Ok(v) => v,
+        Err(_) => return Err(SPDM_STATUS_BUFFER_FULL),
+    };
     let event_log_element = VdmMessageElement {
         element_type: VdmMessageElementType::EventLogMy,
-        length: event_log_dst.len() as u16,
+        length: event_log_len_u16,
     };
     cnt += event_log_element
         .encode(&mut writer)
         .map_err(|_| SPDM_STATUS_BUFFER_FULL)?;
+    if writer.used().checked_add(event_log_len).is_none() {
+        return Err(SPDM_STATUS_BUFFER_FULL);
+    }
     cnt += writer
         .extend_from_slice(event_log_dst)
         .ok_or(SPDM_STATUS_BUFFER_FULL)?;
@@ -565,13 +581,21 @@ pub fn handle_exchange_mig_attest_info_req(
     let mig_policy_dst = get_policy().ok_or(SPDM_STATUS_INVALID_STATE_LOCAL)?;
     let mig_policy_dst_hash =
         digest_sha384(mig_policy_dst).map_err(|_| SPDM_STATUS_CRYPTO_ERROR)?;
+    let mig_policy_len = mig_policy_dst_hash.len();
+    let mig_policy_len_u16 = match u16::try_from(mig_policy_len) {
+        Ok(v) => v,
+        Err(_) => return Err(SPDM_STATUS_BUFFER_FULL),
+    };
     let mig_policy_element = VdmMessageElement {
         element_type: VdmMessageElementType::MigPolicyMy,
-        length: mig_policy_dst_hash.len() as u16,
+        length: mig_policy_len_u16,
     };
     cnt += mig_policy_element
         .encode(&mut writer)
         .map_err(|_| SPDM_STATUS_BUFFER_FULL)?;
+    if writer.used().checked_add(mig_policy_len).is_none() {
+        return Err(SPDM_STATUS_BUFFER_FULL);
+    }
     cnt += writer
         .extend_from_slice(&mig_policy_dst_hash)
         .ok_or(SPDM_STATUS_BUFFER_FULL)?;

src/migtd/src/spdm/vmcall_msg.rs

@@ -128,22 +128,31 @@ impl SpdmTransportEncap for VmCallTransportEncap {
             VmCallMessageType::SpdmMessage
         };
 
+        // Check that spdm_buffer.len() fits in u32 to avoid truncation.
+        let length_u32 = match u32::try_from(spdm_buffer.len()) {
+            Ok(v) => v,
+            Err(_) => return Err(SPDM_STATUS_ENCAP_FAIL),
+        };
         let vmcall_msg_header = VmCallMessageHeader {
             version: VMCALL_SPDM_VERSION,
             msg_type,
-            length: spdm_buffer.len() as u32,
+            length: length_u32,
         };
         vmcall_msg_header
             .encode(&mut writer)
             .map_err(|_| SPDM_STATUS_ENCAP_FAIL)?;
         let header_size = writer.used();
 
-        if transport_buffer.len() < header_size + spdm_buffer.len() {
+        // Prevent arithmetic overflow when adding header_size + payload size.
+        let total_size = match header_size.checked_add(spdm_buffer.len()) {
+            Some(v) => v,
+            None => return Err(SPDM_STATUS_ENCAP_FAIL),
+        };
+        if transport_buffer.len() < total_size {
             return Err(SPDM_STATUS_ENCAP_FAIL);
         }
-        transport_buffer[header_size..(header_size + spdm_buffer.len())]
-            .copy_from_slice(&spdm_buffer);
-        Ok(header_size + spdm_buffer.len())
+        transport_buffer[header_size..total_size].copy_from_slice(&spdm_buffer);
+        Ok(total_size)
     }
 
     async fn decap(
@@ -156,15 +165,20 @@ impl SpdmTransportEncap for VmCallTransportEncap {
             VmCallMessageHeader::read(&mut reader).ok_or(SPDM_STATUS_DECAP_FAIL)?;
         let header_size = reader.used();
         let payload_size = vmcall_msg_header.length as usize;
-        if transport_buffer.len() < header_size + payload_size {
+        // Prevent overflow when computing header_size + payload_size.
+        let total_needed = match header_size.checked_add(payload_size) {
+            Some(v) => v,
+            None => return Err(SPDM_STATUS_DECAP_FAIL),
+        };
+        if transport_buffer.len() < total_needed {
             return Err(SPDM_STATUS_DECAP_FAIL);
         }
         let mut spdm_buffer = spdm_buffer.lock();
         let spdm_buffer = spdm_buffer.deref_mut();
         if spdm_buffer.len() < payload_size {
             return Err(SPDM_STATUS_DECAP_FAIL);
         }
-        let payload = &transport_buffer[header_size..(header_size + payload_size)];
+        let payload = &transport_buffer[header_size..total_needed];
         spdm_buffer[..payload_size].copy_from_slice(payload);
         let secured_message = vmcall_msg_header.msg_type == VmCallMessageType::SecuredSpdmMessage;