Prevent mailbox buffer overflow vulnerability

runtime/src/mailbox.rs

@@ -53,9 +53,14 @@ impl Mailbox {
     }
 
     /// Set the length of the current mailbox data in bytes
-    pub fn set_dlen(&mut self, len: u32) {
+    pub fn set_dlen(&mut self, len: u32) -> CaliptraResult<()> {
+        if len > memory_layout::MBOX_SIZE {
+            return Err(CaliptraError::RUNTIME_MAILBOX_INVALID_PARAMS);
+        }
+
         let mbox = self.mbox.regs_mut();
         mbox.dlen().write(|_| len);
+        Ok(())
     }
 
     /// Get the length of the current mailbox data in words
@@ -141,7 +146,7 @@ impl Mailbox {
 
     /// Write a word-aligned `buf` to the mailbox
     pub fn write_response(&mut self, buf: &[u8]) -> CaliptraResult<()> {
-        self.set_dlen(buf.len() as u32);
+        self.set_dlen(buf.len() as u32)?;
         self.copy_bytes_to_mbox(buf);
         Ok(())
     }

runtime/src/main.rs

@@ -91,7 +91,7 @@ pub extern "C" fn entry_point() -> ! {
     if let Err(e) = caliptra_runtime::handle_mailbox_commands(&mut drivers) {
         handle_fatal_error(e.into());
     }
-    loop {}
+    caliptra_drivers::ExitCtrl::exit(0xff);
 }
 
 #[no_mangle]

runtime/test-fw/src/mock_rt_test_interactive.rs

@@ -116,7 +116,8 @@ fn read_pcr_log(persistent_data: &PersistentDataAccessor, mbox: &mut Mailbox) {
         (core::mem::size_of::<PcrLogEntry>() * pcr_entry_count)
             .try_into()
             .unwrap(),
-    );
+    )
+    .unwrap();
     mbox.set_status(MboxStatusE::DataReady);
 }
 
@@ -136,7 +137,7 @@ fn read_pcrs(mbox: &mut Mailbox) {
         swap_word_bytes_inplace(&mut pcr_bytes);
         mbox.copy_bytes_to_mbox(pcr.as_bytes()).unwrap();
     }
-    mbox.set_dlen((48 * PCR_COUNT).try_into().unwrap());
+    mbox.set_dlen((48 * PCR_COUNT).try_into().unwrap()).unwrap();
     mbox.set_status(MboxStatusE::DataReady);
 }