commit aacf0e2661c8492bab7d3c89381071d2c11d7d83
author Lawrence Tang <lawrence.tang@arm.com> Wed Jul 20 13:28:52 2022 +0100
committer Lawrence Tang <lawrence.tang@arm.com> Wed Jul 20 13:28:52 2022 +0100
tree 6d05d637415ef41a8cc82a807dc49cfaf5e9660c
parent cd505205d9a1cefadb19978afd59093f0754c13a

Add fixes based on test fuzzing.

generator/sections/gen-section-generic.c

diff --git a/generator/sections/gen-section-generic.c b/generator/sections/gen-section-generic.c
index b2bda16..abc9792 100644
--- a/generator/sections/gen-section-generic.c
+++ b/generator/sections/gen-section-generic.c
@@ -22,5 +22,17 @@
     *(start_byte + 12) &= 0b111;
     *((UINT16*)(start_byte + 14)) = 0x0;
     
+    //Ensure CPU brand string does not terminate early.
+    for (int i=0; i<128; i++)
+    {
+        UINT8* byte = start_byte + 24 + i;
+        if (*byte == 0x0)
+            *byte = rand() % 127 + 1;
+
+        //Null terminate last byte.
+        if (i == 127)
+            *byte = 0x0;
+    }
+
     return size;
 }
\ No newline at end of file

generator/sections/gen-section-ia32x64.c

diff --git a/generator/sections/gen-section-ia32x64.c b/generator/sections/gen-section-ia32x64.c
index a9b41e4..0f6f709 100644
--- a/generator/sections/gen-section-ia32x64.c
+++ b/generator/sections/gen-section-ia32x64.c
@@ -37,6 +37,10 @@
         total_len += context_structure_lengths[i];
     UINT8* section = generate_random_bytes(total_len);
 
+    //Null extend the end of the CPUID in the header.
+    for (int i=0; i<16; i++)
+        *(section + 48 + i) = 0x0;
+
     //Set header information.
     UINT64* validation = (UINT64*)section;
     *validation &= 0b11;
@@ -68,33 +72,50 @@
 {
     UINT8* error_structure = generate_random_bytes(IA32X64_ERROR_STRUCTURE_SIZE);
 
+    //Set error structure reserved space to zero.
+    UINT64* validation = (UINT64*)(error_structure + 16);
+    *validation &= 0x1F;
+
     //Create a random type of error structure.
     EFI_GUID* guid = (EFI_GUID*)error_structure;
+    UINT64* check_info = (UINT64*)(error_structure + 24);
     int error_structure_type = rand() % 4;
     switch (error_structure_type)
     {
         //Cache
         case 0:
             memcpy(guid, &gEfiIa32x64ErrorTypeCacheCheckGuid, sizeof(EFI_GUID));
-            memset(error_structure + 30, 0, 34);
+
+            //Set reserved space to zero.
+            *check_info &= ~0xFF00;
+            *check_info &= 0x3FFFFFFF;
             break;
 
         //TLB
         case 1:
             memcpy(guid, &gEfiIa32x64ErrorTypeTlbCheckGuid, sizeof(EFI_GUID));
-            memset(error_structure + 30, 0, 34);
+
+            //Set reserved space to zero.
+            *check_info &= ~0xFF00;
+            *check_info &= 0x3FFFFFFF;
             break;
 
         //Bus
         case 2:
             memcpy(guid, &gEfiIa32x64ErrorTypeBusCheckGuid, sizeof(EFI_GUID));
-            memset(error_structure + 35, 0, 29);
+
+            //Set reserved space to zero.
+            *check_info &= ~0xF800;
+            *check_info &= 0x7FFFFFFFF;
             break;
 
         //MS
         case 3:
             memcpy(guid, &gEfiIa32x64ErrorTypeMsCheckGuid, sizeof(EFI_GUID));
-            memset(error_structure + 24, 0, 38);
+
+            //Set reserved space to zero.
+            *check_info &= ~0xFF30;
+            *check_info &= 0xFFFFFF;
             break;
     }