From nobody Sat Apr 27 15:14:56 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1521534941609884.1831470980758; Tue, 20 Mar 2018 01:35:41 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 8B38522487297; Tue, 20 Mar 2018 01:29:10 -0700 (PDT) Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id DECD4225B028F for ; Tue, 20 Mar 2018 01:29:08 -0700 (PDT) Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Mar 2018 01:35:37 -0700 Received: from czhan46-mobl1.ccr.corp.intel.com ([10.239.192.139]) by orsmga006.jf.intel.com with ESMTP; 20 Mar 2018 01:35:36 -0700 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.136; helo=mga12.intel.com; envelope-from=chao.b.zhang@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,334,1517904000"; d="scan'208";a="27221395" From: "Zhang, Chao B" To: edk2-devel@lists.01.org Date: Tue, 20 Mar 2018 16:35:33 +0800 Message-Id: <20180320083533.26316-1-chao.b.zhang@intel.com> X-Mailer: git-send-email 2.11.0.windows.1 Subject: [edk2] [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Yao Jiewen , Chao Zhang , Long Qin MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" TPM2.0 command lib always assumes TPM device and transmission channel can respond correctly. But it is not true when communication channel is exploit= ed and wrong data is spoofed. Add more logic to prohibit memory overflow attac= k. Cc: Long Qin Cc: Yao Jiewen Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang Signed-off-by: Zhang, Chao B Reviewed-by: Long Qin --- .../Library/Tpm2CommandLib/Tpm2Capability.c | 21 ++++++++++++++- .../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 16 ++++++++++- SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 19 ++++++++++--- SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 14 ++++++++-- SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c | 31 ++++++++++++++++++= +++- SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c | 10 ++++++- SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c | 6 ++++- 7 files changed, 107 insertions(+), 10 deletions(-) diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c b/Security= Pkg/Library/Tpm2CommandLib/Tpm2Capability.c index 79e80fb7a9..42afe107a6 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 Capability related command. =20 -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at http://opensource.org/licenses/bsd-license.php =20 @@ -110,10 +110,18 @@ Tpm2GetCapability ( =20 if (RecvBufferSize <=3D sizeof (TPM2_RESPONSE_HEADER) + sizeof (UINT8)) { return EFI_DEVICE_ERROR; } =20 + // + // Fail if command failed + // + if (SwapBytes32(RecvBuffer.Header.responseCode) !=3D TPM_RC_SUCCESS) { + DEBUG ((EFI_D_ERROR, "Tpm2GetCapability: Response Code error! 0x%08x\r= \n", SwapBytes32(RecvBuffer.Header.responseCode))); + return EFI_DEVICE_ERROR; + } + // // Return the response // *MoreData =3D RecvBuffer.MoreData; // @@ -327,10 +335,14 @@ Tpm2GetCapabilitySupportedAlg ( } =20 CopyMem (AlgList, &TpmCap.data.algorithms, sizeof (TPML_ALG_PROPERTY)); =20 AlgList->count =3D SwapBytes32 (AlgList->count); + if (AlgList->count > MAX_CAP_ALGS) { + return EFI_DEVICE_ERROR;=20 + } + for (Index =3D 0; Index < AlgList->count; Index++) { AlgList->algProperties[Index].alg =3D SwapBytes16 (AlgList->algPropert= ies[Index].alg); WriteUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].algProperti= es, SwapBytes32 (ReadUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].= algProperties))); } =20 @@ -474,13 +486,20 @@ Tpm2GetCapabilityPcrs ( if (EFI_ERROR (Status)) { return Status; } =20 Pcrs->count =3D SwapBytes32 (TpmCap.data.assignedPCR.count); + if (Pcrs->count > HASH_COUNT) { + return EFI_DEVICE_ERROR; + } + for (Index =3D 0; Index < Pcrs->count; Index++) { Pcrs->pcrSelections[Index].hash =3D SwapBytes16 (TpmCap.data.assignedP= CR.pcrSelections[Index].hash); Pcrs->pcrSelections[Index].sizeofSelect =3D TpmCap.data.assignedPCR.pc= rSelections[Index].sizeofSelect; + if (Pcrs->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) { + return EFI_DEVICE_ERROR; + } CopyMem (Pcrs->pcrSelections[Index].pcrSelect, TpmCap.data.assignedPCR= .pcrSelections[Index].pcrSelect, Pcrs->pcrSelections[Index].sizeofSelect); } =20 return EFI_SUCCESS; } diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c= b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c index 6f6b3693f8..3e42875b83 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 EnhancedAuthorization related command. =20 -Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at http://opensource.org/licenses/bsd-license.php =20 @@ -178,19 +178,29 @@ Tpm2PolicySecret ( // // Return the response // Buffer =3D (UINT8 *)&RecvBuffer.Timeout; Timeout->size =3D SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer)); + if (Timeout->size > sizeof(UINT64)) { + Status =3D EFI_DEVICE_ERROR; + goto Done; + } + Buffer +=3D sizeof(UINT16); CopyMem (Timeout->buffer, Buffer, Timeout->size); =20 PolicyTicket->tag =3D SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer)); Buffer +=3D sizeof(UINT16); PolicyTicket->hierarchy =3D SwapBytes32(ReadUnaligned32 ((UINT32 *)Buffe= r)); Buffer +=3D sizeof(UINT32); PolicyTicket->digest.size =3D SwapBytes16(ReadUnaligned16 ((UINT16 *)Buf= fer)); Buffer +=3D sizeof(UINT16); + if (PolicyTicket->digest.size > sizeof(TPMU_HA)) { + Status =3D EFI_DEVICE_ERROR; + goto Done; + } + CopyMem (PolicyTicket->digest.buffer, Buffer, PolicyTicket->digest.size); =20 Done: // // Clear AuthSession Content @@ -377,9 +387,13 @@ Tpm2PolicyGetDigest ( =20 // // Return the response // PolicyHash->size =3D SwapBytes16 (RecvBuffer.PolicyHash.size); + if (PolicyHash->size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } + CopyMem (PolicyHash->buffer, &RecvBuffer.PolicyHash.buffer, PolicyHash->= size); =20 return EFI_SUCCESS; } diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c b/SecurityP= kg/Library/Tpm2CommandLib/Tpm2Integrity.c index 8eacfe6c13..9c0b70dd93 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 Integrity related command. =20 -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at http://opensource.org/licenses/bsd-license.php =20 @@ -277,10 +277,14 @@ Tpm2PcrEvent ( // Unmarshal the response // Buffer =3D (UINT8 *)&Res.Digests; =20 Digests->count =3D SwapBytes32 (ReadUnaligned32 ((UINT32 *)Buffer)); + if (Digests->count > HASH_COUNT) { + return EFI_DEVICE_ERROR; + } + Buffer +=3D sizeof(UINT32); for (Index =3D 0; Index < Digests->count; Index++) { Digests->digests[Index].hashAlg =3D SwapBytes16 (ReadUnaligned16 ((UIN= T16 *)Buffer)); Buffer +=3D sizeof(UINT16); DigestSize =3D GetHashSizeFromAlgo (Digests->digests[Index].hashAlg); @@ -381,28 +385,37 @@ Tpm2PcrRead ( if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.P= crUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count)) { DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n", Recv= BufferSize)); return EFI_DEVICE_ERROR; } PcrSelectionOut->count =3D SwapBytes32(RecvBuffer.PcrSelectionOut.count); - if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.P= crUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBu= ffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) { - DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n", Recv= BufferSize)); + if (PcrSelectionOut->count > HASH_COUNT || RecvBufferSize < sizeof (TPM2= _RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer= .PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0= ]) * PcrSelectionOut->count) { + DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - Digests->count -%x or RecvBufferSi= ze Error - %x\n", PcrSelectionOut->count, RecvBufferSize)); return EFI_DEVICE_ERROR; } for (Index =3D 0; Index < PcrSelectionOut->count; Index++) { PcrSelectionOut->pcrSelections[Index].hash =3D SwapBytes16(RecvBuffer.= PcrSelectionOut.pcrSelections[Index].hash); PcrSelectionOut->pcrSelections[Index].sizeofSelect =3D RecvBuffer.PcrS= electionOut.pcrSelections[Index].sizeofSelect; + if (PcrSelectionOut->pcrSelections[Index].sizeofSelect > PCR_SELECT_MA= X) { + return EFI_DEVICE_ERROR; + } CopyMem (&PcrSelectionOut->pcrSelections[Index].pcrSelect, &RecvBuffer= .PcrSelectionOut.pcrSelections[Index].pcrSelect, PcrSelectionOut->pcrSelect= ions[Index].sizeofSelect); } =20 // // PcrValues // PcrValuesOut =3D (TPML_DIGEST *)((UINT8 *)&RecvBuffer + sizeof (TPM2_RES= PONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.Pcr= SelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) *= PcrSelectionOut->count); PcrValues->count =3D SwapBytes32(PcrValuesOut->count); + if (PcrValues->count > 8) { + return EFI_DEVICE_ERROR; + } Digests =3D PcrValuesOut->digests; for (Index =3D 0; Index < PcrValues->count; Index++) { PcrValues->digests[Index].size =3D SwapBytes16(Digests->size); + if (PcrValues->digests[Index].size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } CopyMem (&PcrValues->digests[Index].buffer, &Digests->buffer, PcrValue= s->digests[Index].size); Digests =3D (TPM2B_DIGEST *)((UINT8 *)Digests + sizeof(Digests->size) = + PcrValues->digests[Index].size); } =20 return EFI_SUCCESS; diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c b/SecurityP= kg/Library/Tpm2CommandLib/Tpm2NVStorage.c index 9508022132..2b87260764 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 NVStorage related command. =20 -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at http://opensource.org/licenses/bsd-license.php =20 @@ -232,13 +232,18 @@ Tpm2NvReadPublic ( =20 // // Basic check // NvPublicSize =3D SwapBytes16 (RecvBuffer.NvPublic.size); + if (NvPublicSize > sizeof(TPMS_NV_PUBLIC)) { + return EFI_DEVICE_ERROR; + } + NvNameSize =3D SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBu= ffer + sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + NvPublicSize))); =20 - if (RecvBufferSize !=3D sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + = NvPublicSize + sizeof(UINT16) + NvNameSize) { + if (NvNameSize > sizeof(TPMU_NAME) || + (RecvBufferSize !=3D sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) += NvPublicSize + sizeof(UINT16) + NvNameSize)) { DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error - NvPubl= icSize %x, NvNameSize %x\n", RecvBufferSize, NvNameSize)); return EFI_NOT_FOUND; } =20 // @@ -630,10 +635,15 @@ Tpm2NvRead ( =20 // // Return the response // OutData->size =3D SwapBytes16 (RecvBuffer.Data.size); + if (OutData->size > MAX_DIGEST_BUFFER) { + Status =3D EFI_DEVICE_ERROR; + goto Done; + } + CopyMem (OutData->buffer, &RecvBuffer.Data.buffer, OutData->size); =20 Done: // // Clear AuthSession Content diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c b/SecurityPkg/= Library/Tpm2CommandLib/Tpm2Object.c index e070ff2f74..e9f693b65d 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 Object related command. =20 -Copyright (c) 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at http://opensource.org/licenses/bsd-license.php =20 @@ -107,15 +107,26 @@ Tpm2ReadPublic ( =20 // // Basic check // OutPublicSize =3D SwapBytes16 (RecvBuffer.OutPublic.size); + if (OutPublicSize > sizeof(TPMT_PUBLIC)) { + return EFI_DEVICE_ERROR; + } + NameSize =3D SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBuff= er + sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + OutPublicSize))); + if (NameSize > sizeof(TPMU_NAME)) { + return EFI_DEVICE_ERROR; + } + QualifiedNameSize =3D SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)= &RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + OutPublicSize + sizeof(UINT16) + NameSize))); + if (QualifiedNameSize > sizeof(TPMU_NAME)) { + return EFI_DEVICE_ERROR; + } =20 if (RecvBufferSize !=3D sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + = OutPublicSize + sizeof(UINT16) + NameSize + sizeof(UINT16) + QualifiedNameS= ize) { DEBUG ((DEBUG_ERROR, "Tpm2ReadPublic - RecvBufferSize %x Error - OutPu= blicSize %x, NameSize %x, QualifiedNameSize %x\n", RecvBufferSize, OutPubli= cSize, NameSize, QualifiedNameSize)); return EFI_DEVICE_ERROR; } @@ -130,10 +141,13 @@ Tpm2ReadPublic ( OutPublic->publicArea.nameAlg =3D SwapBytes16 (OutPublic->publicArea.nam= eAlg); WriteUnaligned32 ((UINT32 *)&OutPublic->publicArea.objectAttributes, Swa= pBytes32 (ReadUnaligned32 ((UINT32 *)&OutPublic->publicArea.objectAttribute= s))); Buffer =3D (UINT8 *)&RecvBuffer.OutPublic.publicArea.authPolicy; OutPublic->publicArea.authPolicy.size =3D SwapBytes16 (ReadUnaligned16 (= (UINT16 *)Buffer)); Buffer +=3D sizeof(UINT16); + if (OutPublic->publicArea.authPolicy.size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.authPolicy.buffer, Buffer, OutPublic->pub= licArea.authPolicy.size); Buffer +=3D OutPublic->publicArea.authPolicy.size; =20 // TPMU_PUBLIC_PARMS switch (OutPublic->publicArea.type) { @@ -305,32 +319,47 @@ Tpm2ReadPublic ( // TPMU_PUBLIC_ID switch (OutPublic->publicArea.type) { case TPM_ALG_KEYEDHASH: OutPublic->publicArea.unique.keyedHash.size =3D SwapBytes16 (ReadUnali= gned16 ((UINT16 *)Buffer)); Buffer +=3D sizeof(UINT16); + if(OutPublic->publicArea.unique.keyedHash.size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.unique.keyedHash.buffer, Buffer, OutPub= lic->publicArea.unique.keyedHash.size); Buffer +=3D OutPublic->publicArea.unique.keyedHash.size; break; case TPM_ALG_SYMCIPHER: OutPublic->publicArea.unique.sym.size =3D SwapBytes16 (ReadUnaligned16= ((UINT16 *)Buffer)); Buffer +=3D sizeof(UINT16); + if(OutPublic->publicArea.unique.sym.size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.unique.sym.buffer, Buffer, OutPublic->p= ublicArea.unique.sym.size); Buffer +=3D OutPublic->publicArea.unique.sym.size; break; case TPM_ALG_RSA: OutPublic->publicArea.unique.rsa.size =3D SwapBytes16 (ReadUnaligned16= ((UINT16 *)Buffer)); Buffer +=3D sizeof(UINT16); + if(OutPublic->publicArea.unique.rsa.size > MAX_RSA_KEY_BYTES) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.unique.rsa.buffer, Buffer, OutPublic->p= ublicArea.unique.rsa.size); Buffer +=3D OutPublic->publicArea.unique.rsa.size; break; case TPM_ALG_ECC: OutPublic->publicArea.unique.ecc.x.size =3D SwapBytes16 (ReadUnaligned= 16 ((UINT16 *)Buffer)); Buffer +=3D sizeof(UINT16); + if (OutPublic->publicArea.unique.ecc.x.size > MAX_ECC_KEY_BYTES) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.unique.ecc.x.buffer, Buffer, OutPublic-= >publicArea.unique.ecc.x.size); Buffer +=3D OutPublic->publicArea.unique.ecc.x.size; OutPublic->publicArea.unique.ecc.y.size =3D SwapBytes16 (ReadUnaligned= 16 ((UINT16 *)Buffer)); Buffer +=3D sizeof(UINT16); + if (OutPublic->publicArea.unique.ecc.y.size > MAX_ECC_KEY_BYTES) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.unique.ecc.y.buffer, Buffer, OutPublic-= >publicArea.unique.ecc.y.size); Buffer +=3D OutPublic->publicArea.unique.ecc.y.size; break; default: return EFI_UNSUPPORTED; diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c b/SecurityP= kg/Library/Tpm2CommandLib/Tpm2Sequences.c index 305b6f2078..68a445bafc 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 Sequences related command. =20 -Copyright (c) 2013, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at http://opensource.org/licenses/bsd-license.php =20 @@ -373,10 +373,14 @@ Tpm2EventSequenceComplete ( =20 BufferPtr =3D (UINT8 *)&Res.Results; =20 // count Results->count =3D SwapBytes32(ReadUnaligned32 ((UINT32 *)BufferPtr)); + if (Results->count > HASH_COUNT) { + return EFI_DEVICE_ERROR; + } + BufferPtr +=3D sizeof(UINT32); =20 for (Index =3D 0; Index < Results->count; Index++) { Results->digests[Index].hashAlg =3D SwapBytes16(ReadUnaligned16 ((UINT= 16 *)BufferPtr)); BufferPtr +=3D sizeof(UINT16); @@ -494,10 +498,14 @@ Tpm2SequenceComplete ( =20 BufferPtr =3D (UINT8 *)&Res.Digest; =20 // digestSize Result->size =3D SwapBytes16(ReadUnaligned16 ((UINT16 *)BufferPtr)); + if (Result->size > sizeof(TPMU_HA)){ + return EFI_DEVICE_ERROR; + } + BufferPtr +=3D sizeof(UINT16); =20 CopyMem( Result->buffer, BufferPtr, diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c b/SecurityPkg= /Library/Tpm2CommandLib/Tpm2Session.c index f03b6689ac..0c9b310e54 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 Session related command. =20 -Copyright (c) 2014, Intel Corporation. All rights reserved.
+Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at http://opensource.org/licenses/bsd-license.php =20 @@ -161,9 +161,13 @@ Tpm2StartAuthSession ( // // Return the response // *SessionHandle =3D SwapBytes32 (RecvBuffer.SessionHandle); NonceTPM->size =3D SwapBytes16 (RecvBuffer.NonceTPM.size); + if (NonceTPM->size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } + CopyMem (NonceTPM->buffer, &RecvBuffer.NonceTPM.buffer, NonceTPM->size); =20 return EFI_SUCCESS; } --=20 2.16.2.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel