commit 36324f6bea8c5de1e380659bb56aca5e0b8724b4
author Andrew Jeffery <andrew@codeconstruct.com.au> Wed Sep 25 13:41:41 2024 +0930
committer Andrew Jeffery <andrew@codeconstruct.com.au> Tue Oct 08 18:01:15 2024 +1030
tree 3e57889667e5f5267d1b2fd14358c10468eb9e4f
parent a180963a4e3279fca3331d94d9ab71f13b7048fc

Apply GCC's tainted_args attribute to library entrypoints

The implementation applies `__attribute__((tainted_args))` by
integrating it into the existing ABI macro annotations.

In the process, quite a number of APIs were discovered to be unsafe in
ways that were not immediately fixable. Often this is because they lack
arguments that enable the appropriate bounds-checking to be applied.

Redesigning them is work beyond the scope of the immediate
effort. Instead, we also introduce a new annotation,
LIBPLDM_ABI_DEPRECATED_UNSAFE, that simply lacks
`__attribute__((tainted_args))` and therefore doesn't trigger the extra
analysis.

Change-Id: Ib8994eaa3907a5432d040426ad03687cbf4c2136
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>

src/oem/meta/file_io.c

diff --git a/src/oem/meta/file_io.c b/src/oem/meta/file_io.c
index 966a262..db9407b 100644
--- a/src/oem/meta/file_io.c
+++ b/src/oem/meta/file_io.c
@@ -55,7 +55,7 @@
 	return pldm_msgbuf_destroy_consumed(buf);
 }
 
-LIBPLDM_ABI_DEPRECATED
+LIBPLDM_ABI_DEPRECATED_UNSAFE
 int decode_oem_meta_file_io_req(const struct pldm_msg *msg,
 				size_t payload_length, uint8_t *file_handle,
 				uint32_t *length, uint8_t *data)
@@ -69,6 +69,10 @@
 		return pldm_xlate_errno(-EINVAL);
 	}
 
+	if (SIZE_MAX - sizeof(*request_msg) < payload_length) {
+		return pldm_xlate_errno(-EOVERFLOW);
+	}
+
 	request_msg_len = sizeof(*request_msg) + payload_length;
 	request_msg = malloc(request_msg_len);