C/C++ error: Out of bounds read. Looking at the wrong memory address

Question

I am trying to write this function that should return an uint32_t but I am running into a out of bounds read error which means that it is reading from the wrong memory. The error is in the line sumOfKey += aonEfuse->eFuseBitArray.secFAKEK[keyIndex]; and the error states overrun-local: Overrunning array aonEfuse->eFuseBitArray.secFAKEK of 8 4-byte elements at element index 8 (byte offset 35) using index keyIndex (which evaluates to 8). Do note that secFAKEK is defined as:

uint32_t secFAKEK[EFUSE_SEC_FAKEK_SIZE_WORDS]; 
SEC_KM_AES_KEY_SIZE_IN_BYTES = 32

Also, EFUSE_SEC_FAKEK_SIZE_WORDS = 0x08

uint32_t SEC_CODE_SLOW SEC_KM_GetFAKEKVersion(void)
{
   uint64_t sumOfKey = 0;
   uint32_t keyIndex = 0;
   const uint32_t keySizeDwords = SEC_KM_AES_KEY_SIZE_IN_BYTES / sizeof(uint32_t);
   AON_eFuseData_t *aonEfuse = SYS_GetAONeFuseData();

   if (!aonEfuse)
   {
      return MAX_UINT32;
   }

   while (keyIndex++ < keySizeDwords)
   {
      sumOfKey += aonEfuse->eFuseBitArray.secFAKEK[keyIndex];
   }

   return sumOfKey == 0 ? 0 : ((sumOfKey == 0xFFFFFFFFULL * keySizeDwords) ? 2 : 1);
}

Answer 1

This line here is the problem:

while (keyIndex++ < keySizeDwords)

what happens here is that you compare to a good value, lets say 32 < 33, then the postincrement happens and you end up with 33 inside the loop which leads to out of bounds.

change it to

while (keyIndex < keySizeDwords)
     // and increment inside the loop.

A very simple example for this:

int size = 1;
int a[size];

int index = 0;

while( index++ < size) // index at the time of comparing is 0 but right after it is 1
{
   a[index] = 0; // here we are going out of bounds because index is 1
}