Fix: NVM Read: Enforce Objects Boundaries #182
Conversation
961677e to
93b81b5
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR fixes a security vulnerability in the NVM read API by enforcing object boundaries and preventing arbitrary reads from secure flash memory. Previously, the API allowed clients to read beyond object boundaries since both offset and byte_count were client-controlled.
- Changes the NVM read API signature to accept a pointer to data length (
whNvmSize *data_len) instead of a value - Implements boundary checking and length clamping in the flash implementation
- Updates all call sites to use the new API with proper length handling
Reviewed Changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfhsm/wh_nvm_flash.h | Updates Read function signature to use pointer for data_len parameter |
| wolfhsm/wh_nvm.h | Updates Read callback and function signatures to use pointer for data_len |
| src/wh_nvm_flash.c | Implements boundary checking and length clamping logic in read operations |
| src/wh_nvm.c | Updates wrapper function signature to match new API |
| src/wh_server_nvm.c | Handles new API in server request processing with proper error handling |
| src/wh_server_keystore.c | Updates keystore read operations to use new API |
| src/wh_server_img_mgr.c | Updates image manager to use new API |
| src/wh_server_cert.c | Updates certificate reading with proper length handling |
| test/wh_test_clientserver.c | Adds comprehensive boundary testing for the new API |
| test/wh_test_nvm_flash.c | Updates existing tests to use new API |
| test/wh_test_server_img_mgr.c | Updates image manager tests with new API |
| tools/whnvmtool/test/test_whnvmtool.c | Updates tool tests to use new API |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
bigbrett
left a comment
There was a problem hiding this comment.
Nice catch. Not sure how this one slipped through...
bigbrett
left a comment
There was a problem hiding this comment.
meant to request changes before
billphipps
left a comment
There was a problem hiding this comment.
I agree we need to detect and report error on offset+data_len issues. I proposed a simpler change instead.
0bb8e66 to
b22b1df
Compare
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
b22b1df to
fc16526
Compare
|
Addressed the comments, updated the title. |
bigbrett
left a comment
There was a problem hiding this comment.
Looks like feedback was addressed. @billphipps over to you, pls merge if you are OK with it
The current NVM read API does not enforce object boundaries, effectively allowing arbitrary reads from secure flash memory since both offset and byte_count are client-controlled.
In the whClient_NVM API, clients can provide a buffer larger than the object and rely on the server to return the actual size read.
Indeed, returning
WH_ERROR_BADARGSfor out-of-bounds reads would be a simple fix, but it would break existing API usage patterns.This PR refactors the NVM read API to accept a pointer to the data length (
whNvmSize *data_len). This allows the read function to:All affected call sites and tests are updated to handle the new API.
There is still the open question about DMA calls because, as far as I can see, currently there is no way to communicate back the actual amount of bytes copied into the client memory via DMA.
A solution might be to enrich the response to report the written size.