From ea36e7d59b9bd05f65d85518ec611e1904ac6f2b Mon Sep 17 00:00:00 2001
From: Vadim Bendebury <vbendeb@chromium.org>
Date: Wed, 13 Sep 2017 09:20:30 -0700
Subject: [PATCH] cr50: fix hash test code memory management

The hash test code memory management is somewhat loose: it does not
clean up allocated buffer, but then uses it to check for presence of
the previously created handles, which can result in false positives.

Let's zero the buffer each time it is allocated and let's use
hash_test_db.contexts as the indicator if the buffer is allocated or
not.

BRANCH=cr50
BUG=none
TEST=ran ./test/tpm_test/tpmtest.py, observed rsa tests pass.

Change-Id: Iad4b4e2662fc7266ee6f556f6ddfd0051e7172d7
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/665321
Reviewed-by: Shawn N <shawnn@chromium.org>
---
 board/cr50/tpm2/hash.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/board/cr50/tpm2/hash.c b/board/cr50/tpm2/hash.c
index cb52526831..157100fd96 100644
--- a/board/cr50/tpm2/hash.c
+++ b/board/cr50/tpm2/hash.c
@@ -190,17 +190,28 @@ static void process_start(TPM_ALG_ID alg, int handle, void *response_body,
 	}
 
 	if (!hash_test_db.max_contexts) {
+		size_t buffer_size;
+
 		/* Check how many contexts could possible fit. */
 		hash_test_db.max_contexts = shared_mem_size() /
 			sizeof(struct test_context);
+
+		buffer_size = sizeof(struct test_context) *
+			hash_test_db.max_contexts;
+
+		if (shared_mem_acquire(buffer_size,
+				       (char **)&hash_test_db.contexts) !=
+		    EC_SUCCESS) {
+			/* Must be out of memory. */
+			hash_test_db.max_contexts = 0;
+			*response = EXC_HASH_TOO_MANY_HANDLES;
+			*response_size = 1;
+			return;
+		}
+		memset(hash_test_db.contexts, 0, buffer_size);
 	}
 
-	if (!hash_test_db.contexts)
-		shared_mem_acquire(shared_mem_size(),
-				   (char **)&hash_test_db.contexts);
-
-	if (!hash_test_db.contexts ||
-	    (hash_test_db.current_context_count == hash_test_db.max_contexts)) {
+	if (hash_test_db.current_context_count == hash_test_db.max_contexts) {
 		*response = EXC_HASH_TOO_MANY_HANDLES;
 		*response_size = 1;
 		return;
@@ -246,6 +257,7 @@ static void process_finish(int handle, void *response_body,
 	hash_test_db.current_context_count--;
 	if (!hash_test_db.current_context_count) {
 		shared_mem_release(hash_test_db.contexts);
+		hash_test_db.max_contexts = 0;
 		return;
 	}