From 6c41e105c4c0940f7fa8bed8c58fa40426c04e90 Mon Sep 17 00:00:00 2001 From: Michael Scire Date: Wed, 30 Jan 2019 21:56:33 -0800 Subject: [PATCH] fusee: fix stack oob read --- fusee/fusee-secondary/src/nxboot.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fusee/fusee-secondary/src/nxboot.c b/fusee/fusee-secondary/src/nxboot.c index 6693401ab..e4b5e14a6 100644 --- a/fusee/fusee-secondary/src/nxboot.c +++ b/fusee/fusee-secondary/src/nxboot.c @@ -411,7 +411,7 @@ uint32_t nxboot_main(void) { /* Get the TSEC keys. */ uint8_t tsec_key[0x10] = {0}; - uint8_t tsec_root_key[0x10] = {0}; + uint8_t tsec_root_keys[0x20][0x10] = {0}; if (target_firmware >= ATMOSPHERE_TARGET_FIRMWARE_700) { /* TODO: what to do here? */ if (tsec_get_key(tsec_key, 1, tsec_fw, tsec_fw_size) != 0) { @@ -425,7 +425,7 @@ uint32_t nxboot_main(void) { /* Copy back the keys. */ memcpy((void *)tsec_key, (void *)tsec_keys, 0x10); - memcpy((void *)tsec_root_key, (void *)tsec_keys + 0x10, 0x10); + memcpy((void *)tsec_root_keys, (void *)tsec_keys + 0x10, 0x10); } else { /* Run the TSEC payload and get the key. */ if (tsec_get_key(tsec_key, 1, tsec_fw, tsec_fw_size) != 0) { @@ -435,7 +435,7 @@ uint32_t nxboot_main(void) { /* Derive keydata. */ unsigned int keygen_type = 0; - if (derive_nx_keydata(target_firmware, g_keyblobs, available_revision, tsec_key, tsec_root_key, &keygen_type) != 0) { + if (derive_nx_keydata(target_firmware, g_keyblobs, available_revision, tsec_key, tsec_root_keys, &keygen_type) != 0) { fatal_error("[NXBOOT]: Key derivation failed!\n"); }