From c8b32341043831f4e8933b00ddf83831e7d015ce Mon Sep 17 00:00:00 2001 From: Peter Griffin Date: Fri, 25 Oct 2019 11:30:40 +0200 Subject: optee-test: add optee-test imx fork This also includes some backported gcc 8 fixes from upstream. Signed-off-by: Peter Griffin --- ...egression-4011-correct-potential-overflow.patch | 72 ++++++++++++++++++++++ ...ent-unexpected-build-warning-with-strncpy.patch | 66 ++++++++++++++++++++ recipes-security/optee-imx/optee-test_3.2.0.imx.bb | 57 +++++++++++++++++ 3 files changed, 195 insertions(+) create mode 100644 recipes-security/optee-imx/optee-test/0001-regression-4011-correct-potential-overflow.patch create mode 100644 recipes-security/optee-imx/optee-test/0001-xtest-prevent-unexpected-build-warning-with-strncpy.patch create mode 100644 recipes-security/optee-imx/optee-test_3.2.0.imx.bb (limited to 'recipes-security/optee-imx') diff --git a/recipes-security/optee-imx/optee-test/0001-regression-4011-correct-potential-overflow.patch b/recipes-security/optee-imx/optee-test/0001-regression-4011-correct-potential-overflow.patch new file mode 100644 index 000000000..0d853ed01 --- /dev/null +++ b/recipes-security/optee-imx/optee-test/0001-regression-4011-correct-potential-overflow.patch @@ -0,0 +1,72 @@ +Upstream-Status: Backport 3.4.0 + +Signed-off-by: Peter Griffin +--- +From 0953bf0abb08fb98d24b7966001171a707fbb9b9 Mon Sep 17 00:00:00 2001 +From: Etienne Carriere +Date: Fri, 21 Dec 2018 15:36:25 +0100 +Subject: [PATCH] regression 4011: correct potential overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix issues reported by GCC 8.2.0. + +build/optee_test/host/xtest/regression_4000.c: In function ‘xtest_tee_test_4011’: +build/optee_test/host/xtest/regression_4000.c:5029:3: error: ‘memmove’ pointer overflow between offset [0, 8] and size [4294967295, 2147483647] accessing array ‘tmp’ with type ‘uint8_t[1024]’ {aka ‘unsigned char[1024]’} [-Werror=array-bounds] + memmove(tmp + n + i, tmp + m, tmp_size - m); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +build/optee_test/host/xtest/regression_4000.c:4927:10: note: array ‘tmp’ declared here + uint8_t tmp[1024]; + ^~~ +build/optee_test/host/xtest/regression_4000.c:5029:3: error: ‘memmove’ specified size 4294967295 exceeds maximum object size 2147483647 [-Werror=stringop-overflow=] + memmove(tmp + n + i, tmp + m, tmp_size - m); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +cc1: all warnings being treated as errors + +Reported-by: Simon Hughes +Signed-off-by: Etienne Carriere +Reviewed-by: Jens Wiklander +--- + host/xtest/regression_4000.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/host/xtest/regression_4000.c b/host/xtest/regression_4000.c +index 766aad2..205a226 100644 +--- a/host/xtest/regression_4000.c ++++ b/host/xtest/regression_4000.c +@@ -5018,18 +5018,28 @@ static void xtest_tee_test_4011(ADBG_Case_t *c) + out, out_size, tmp, &tmp_size))) + goto out; + ++ if (!ADBG_EXPECT_COMPARE_UNSIGNED(c, tmp_size, <=, sizeof(tmp))) ++ goto out; ++ + /* 4.1 */ +- for (n = 0; n < tmp_size; n++) ++ for (n = 0; n < tmp_size - i; n++) + if (tmp[n] == 0xff) + break; ++ ++ /* Shall find at least a padding start before buffer end */ ++ if (!ADBG_EXPECT_COMPARE_UNSIGNED(c, n, <, tmp_size - i - 1)) ++ goto out; ++ + for (m = n + 1; m < tmp_size; m++) + if (tmp[m] != 0xff) + break; ++ + /* 4.2 */ + memmove(tmp + n + i, tmp + m, tmp_size - m); ++ + /* 4.3 */ +- for (n = n + tmp_size - m + i; n < tmp_size; n++) +- tmp[n] = 0; ++ n = n + i + tmp_size - m; ++ memset(tmp + n, 0, tmp_size - n); + + /* 5 */ + out_size = sizeof(out); +-- +2.7.4 + diff --git a/recipes-security/optee-imx/optee-test/0001-xtest-prevent-unexpected-build-warning-with-strncpy.patch b/recipes-security/optee-imx/optee-test/0001-xtest-prevent-unexpected-build-warning-with-strncpy.patch new file mode 100644 index 000000000..0c13dcfcf --- /dev/null +++ b/recipes-security/optee-imx/optee-test/0001-xtest-prevent-unexpected-build-warning-with-strncpy.patch @@ -0,0 +1,66 @@ +Upstream-Status: Backport 3.4.0 + +Signed-off-by: Peter Griffin +--- +From 493574ad1f4f56dd63097a652b87c25c507ce99c Mon Sep 17 00:00:00 2001 +From: Etienne Carriere +Date: Fri, 21 Dec 2018 15:36:00 +0100 +Subject: [PATCH] xtest: prevent unexpected build warning with strncpy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This change modifies adbg_run.c to prevent a false positive +warning reported by GCC 8.2 on usage of strncpy(): + + build/optee_test/host/xtest/adbg/src/adbg_run.c: In function ‘Do_ADBG_AppendToSuite’: + build/optee_test/host/xtest/adbg/src/adbg_run.c:103:3: error: ‘strncpy’ specified bound depends on the length of the source argument [-Werror=stringop-overflow=] + strncpy(p, Source_p->SuiteID_p, size); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + build/optee_test/host/xtest/adbg/src/adbg_run.c:88:9: note: length computed here + size = strlen(Source_p->SuiteID_p); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + cc1: all warnings being treated as errors + +From [1]: + Using strncpy Safely + In general, it is not possible to avoid string truncation by strncpy + except by sizing the destination to be at least a byte larger than + the length of the source string. With that approach, however, using + strncpy becomes unnecessary and the function can be avoided in favor + of other APIs such as strcpy or (less preferably) memcpy. Much has + been written about the problems with strncpy and we recommend to + avoid it whenever possible. It is, however, worth keeping in mind + that unlike other standard string-handling functions, strncpy always + writes exactly as many characters as specified by the third argument; + if the source string is shorter, the function fills the remaining + bytes with NULs. + +This change prefers using a snprintf() as used in the alternate +instruction block of the strncpy() call. + +[1] https://developers.redhat.com/blog/2018/05/24/detecting-string-truncation-with-gcc-8/ + +Signed-off-by: Etienne Carriere +Signed-off-by: Simon Hughes +Reviewed-by: Jens Wiklander +--- + host/xtest/adbg/src/adbg_run.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/host/xtest/adbg/src/adbg_run.c b/host/xtest/adbg/src/adbg_run.c +index 406e429..2739db5 100644 +--- a/host/xtest/adbg/src/adbg_run.c ++++ b/host/xtest/adbg/src/adbg_run.c +@@ -100,7 +100,7 @@ int Do_ADBG_AppendToSuite( + snprintf(p, size, "%s+%s", Dest_p->SuiteID_p, + Source_p->SuiteID_p); + else +- strncpy(p, Source_p->SuiteID_p, size); ++ snprintf(p, size, "%s", Source_p->SuiteID_p); + free((void *)Dest_p->SuiteID_p); + Dest_p->SuiteID_p = p; + +-- +2.7.4 + diff --git a/recipes-security/optee-imx/optee-test_3.2.0.imx.bb b/recipes-security/optee-imx/optee-test_3.2.0.imx.bb new file mode 100644 index 000000000..187c24a96 --- /dev/null +++ b/recipes-security/optee-imx/optee-test_3.2.0.imx.bb @@ -0,0 +1,57 @@ +# Copyright (C) 2017-2018 NXP + +SUMMARY = "OPTEE test" +HOMEPAGE = "http://www.optee.org/" + +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa" + +DEPENDS = "optee-os optee-client python-pycrypto-native openssl" +inherit pythonnative + +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRCBRANCH = "imx_4.14.78_1.0.0_ga" +OPTEE_TEST_SRC ?= "git://source.codeaurora.org/external/imx/imx-optee-test.git;protocol=https" + +SRC_URI = "${OPTEE_TEST_SRC};branch=${SRCBRANCH} \ + file://0001-regression-4011-correct-potential-overflow.patch \ + file://0001-xtest-prevent-unexpected-build-warning-with-strncpy.patch \ +" + +S = "${WORKDIR}/git" + +SRCREV = "eb7f698da9a7fa1587f96aa92ad8668abb0f0f48" + + + +do_compile () { + if [ ${DEFAULTTUNE} = "aarch64" ];then + export TA_DEV_KIT_DIR=${STAGING_INCDIR}/optee/export-user_ta_arm64/ + export ARCH=arm64 + else + export TA_DEV_KIT_DIR=${STAGING_INCDIR}/optee/export-user_ta_arm32/ + export ARCH=arm + fi + export OPTEE_CLIENT_EXPORT=${STAGING_DIR_HOST}/usr + export CROSS_COMPILE_HOST=${HOST_PREFIX} + export CROSS_COMPILE_TA=${HOST_PREFIX} + export CROSS_COMPILE=${HOST_PREFIX} + export OPTEE_OPENSSL_EXPORT=${STAGING_INCDIR}/ + oe_runmake V=1 +} + +do_install () { + install -d ${D}/usr/bin + install ${S}/out/xtest/xtest ${D}/usr/bin/ + + install -d ${D}/lib/optee_armtz + find ${S}/out/ta -name '*.ta' | while read name; do + install -m 444 $name ${D}/lib/optee_armtz/ + done + +} + +FILES_${PN} = "/usr/bin/ /lib*/optee_armtz/" + +COMPATIBLE_MACHINE = "(mx6|mx7|mx8)" -- cgit v1.2.3-54-g00ecf