From: "Zeng, Star" <star.zeng@intel.com>
To: "Dong, Eric" <eric.dong@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Subject: Re: [Patch] SecurityPkg OpalPasswordDxe: Fix buffer overflow issue.
Date: Wed, 3 Aug 2016 00:43:28 +0000 [thread overview]
Message-ID: <0C09AFA07DD0434D9E2A0C6AEB048310036A019E@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <1470137550-65284-1-git-send-email-eric.dong@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
-----Original Message-----
From: Dong, Eric
Sent: Tuesday, August 2, 2016 7:33 PM
To: edk2-devel@lists.01.org
Cc: Zeng, Star <star.zeng@intel.com>
Subject: [Patch] SecurityPkg OpalPasswordDxe: Fix buffer overflow issue.
In current code, PSID is processed as string and the length is 0x20.
Current code only reserved 0x20 length buffer for it, no extra buffer for the '\0'. When driver call UnicodeStrToAsciiStrS to convert PSID, it search the '\0' for the end. So extra dirty data saved in PSID info which caused PSID revert action failed. This patch reserved extra 1 byte data for the '\0'.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
---
SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHii.c | 5 ++++-
SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHiiFormValues.h | 3 ++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHii.c b/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHii.c
index 9a44c56..ee73697 100644
--- a/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHii.c
+++ b/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHii.c
@@ -595,12 +595,15 @@ HiiPsidRevert(
OPAL_DISK *OpalDisk;
TCG_RESULT Ret;
OPAL_SESSION Session;
+ UINT8 TmpBuf[PSID_CHARACTER_STRING_END_LENGTH];
Ret = TcgResultFailure;
OpalHiiGetBrowserData();
- UnicodeStrToAsciiStrS (gHiiConfiguration.Psid, (CHAR8*)Psid.Psid, PSID_CHARACTER_LENGTH);
+ ZeroMem (TmpBuf, sizeof (TmpBuf));
+ UnicodeStrToAsciiStrS (gHiiConfiguration.Psid, (CHAR8*)TmpBuf,
+ PSID_CHARACTER_STRING_END_LENGTH);
+ CopyMem (Psid.Psid, TmpBuf, PSID_CHARACTER_LENGTH);
OpalDisk = HiiGetOpalDiskCB (gHiiConfiguration.SelectedDiskIndex);
if (OpalDisk != NULL) {
diff --git a/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHiiFormValues.h b/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHiiFormValues.h
index 138bcb8..88cf9f5 100644
--- a/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHiiFormValues.h
+++ b/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHiiFormValues.h
@@ -21,6 +21,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
// PSID Length
#define PSID_CHARACTER_LENGTH 0x20
+#define PSID_CHARACTER_STRING_END_LENGTH 0x21
// ID's for various forms that will be used by HII
#define FORMID_VALUE_MAIN_MENU 0x01
@@ -38,7 +39,7 @@ typedef struct {
UINT8 KeepUserData;
UINT16 AvailableFields;
UINT16 Password[MAX_PASSWORD_CHARACTER_LENGTH];
- UINT16 Psid[PSID_CHARACTER_LENGTH];
+ UINT16 Psid[PSID_CHARACTER_STRING_END_LENGTH];
UINT8 EnableBlockSid;
} OPAL_HII_CONFIGURATION;
#pragma pack()
--
2.6.4.windows.1
prev parent reply other threads:[~2016-08-03 0:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-02 11:32 [Patch] SecurityPkg OpalPasswordDxe: Fix buffer overflow issue Eric Dong
2016-08-03 0:43 ` Zeng, Star [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0C09AFA07DD0434D9E2A0C6AEB048310036A019E@shsmsx102.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox