From a286b57f1721af215ace318d5807e63f40186df6 Mon Sep 17 00:00:00 2001 From: Etienne Carriere Date: Wed, 28 Jun 2023 14:30:19 +0200 Subject: [PATCH] regression_4006: fix fuzzing shared memory content Explicit uses the stack to refer to attribute TEE_ATTR_RSA_OAEP_MGF_HASH passed to the crypt TA in tests regression 4006.37 and 4006.38 as the current implementation makes to TA to see an uninitialized buffer reference. Link: https://github.com/OP-TEE/optee_os/issues/6143 Reviewed-by: Jens Wiklander Signed-off-by: Etienne Carriere --- host/xtest/regression_4000.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/host/xtest/regression_4000.c b/host/xtest/regression_4000.c index 505c9811e..883c560c6 100644 --- a/host/xtest/regression_4000.c +++ b/host/xtest/regression_4000.c @@ -3832,6 +3832,7 @@ static void xtest_tee_test_4006(ADBG_Case_t *c) uint32_t pub_key_type = 0; uint32_t priv_key_type = 0; uint32_t hash_algo = 0; + uint32_t sha1_algo_id = TEE_ALG_SHA1; if (!ADBG_EXPECT_TEEC_SUCCESS(c, xtest_teec_open_session(&session, &crypt_user_ta_uuid, NULL, @@ -4132,9 +4133,9 @@ static void xtest_tee_test_4006(ADBG_Case_t *c) algo_params[0].attributeID = TEE_ATTR_RSA_OAEP_MGF_HASH; algo_params[0].content.ref.length = - sizeof(uint32_t); + sizeof(sha1_algo_id); algo_params[0].content.ref.buffer = - &(uint32_t){TEE_ALG_SHA1}; + &sha1_algo_id; num_algo_params = 1; }