From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <star.zeng@intel.com>
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
 by ml01.01.org (Postfix) with ESMTP id 2C36E1A1E18
 for <edk2-devel@lists.01.org>; Tue,  2 Aug 2016 17:43:34 -0700 (PDT)
Received: from orsmga003.jf.intel.com ([10.7.209.27])
 by orsmga103.jf.intel.com with ESMTP; 02 Aug 2016 17:43:33 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.28,463,1464678000"; d="scan'208";a="858614925"
Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202])
 by orsmga003.jf.intel.com with ESMTP; 02 Aug 2016 17:43:31 -0700
Received: from fmsmsx122.amr.corp.intel.com (10.18.125.37) by
 fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS)
 id 14.3.248.2; Tue, 2 Aug 2016 17:43:30 -0700
Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by
 fmsmsx122.amr.corp.intel.com (10.18.125.37) with Microsoft SMTP Server (TLS)
 id 14.3.248.2; Tue, 2 Aug 2016 17:43:31 -0700
Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.147]) by
 SHSMSX151.ccr.corp.intel.com ([169.254.3.150]) with mapi id 14.03.0248.002;
 Wed, 3 Aug 2016 08:43:28 +0800
From: "Zeng, Star" <star.zeng@intel.com>
To: "Dong, Eric" <eric.dong@intel.com>, "edk2-devel@lists.01.org"
 <edk2-devel@lists.01.org>
Thread-Topic: [Patch] SecurityPkg OpalPasswordDxe: Fix buffer overflow issue.
Thread-Index: AQHR7LGcnfVNRZ+trkOWfKUF8JBxgKA2ZqGA
Date: Wed, 3 Aug 2016 00:43:28 +0000
Message-ID: <0C09AFA07DD0434D9E2A0C6AEB048310036A019E@shsmsx102.ccr.corp.intel.com>
References: <1470137550-65284-1-git-send-email-eric.dong@intel.com>
In-Reply-To: <1470137550-65284-1-git-send-email-eric.dong@intel.com>
Accept-Language: zh-CN, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: [Patch] SecurityPkg OpalPasswordDxe: Fix buffer overflow issue.
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2016 00:43:34 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Star Zeng <star.zeng@intel.com>

-----Original Message-----
From: Dong, Eric=20
Sent: Tuesday, August 2, 2016 7:33 PM
To: edk2-devel@lists.01.org
Cc: Zeng, Star <star.zeng@intel.com>
Subject: [Patch] SecurityPkg OpalPasswordDxe: Fix buffer overflow issue.

In current code, PSID is processed as string and the length is 0x20.
Current code only reserved 0x20 length buffer for it, no extra buffer for t=
he '\0'. When driver call UnicodeStrToAsciiStrS to convert PSID, it search =
the '\0' for the end. So extra dirty data saved in PSID info which caused P=
SID revert action failed. This patch reserved extra 1 byte data for the '\0=
'.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
---
 SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHii.c           | 5 ++++-
 SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHiiFormValues.h | 3 ++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHii.c b/SecurityPkg/T=
cg/Opal/OpalPasswordDxe/OpalHii.c
index 9a44c56..ee73697 100644
--- a/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHii.c
+++ b/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHii.c
@@ -595,12 +595,15 @@ HiiPsidRevert(
   OPAL_DISK                     *OpalDisk;
   TCG_RESULT                    Ret;
   OPAL_SESSION                  Session;
+  UINT8                         TmpBuf[PSID_CHARACTER_STRING_END_LENGTH];
=20
   Ret =3D TcgResultFailure;
=20
   OpalHiiGetBrowserData();
=20
-  UnicodeStrToAsciiStrS (gHiiConfiguration.Psid, (CHAR8*)Psid.Psid, PSID_C=
HARACTER_LENGTH);
+  ZeroMem (TmpBuf, sizeof (TmpBuf));
+  UnicodeStrToAsciiStrS (gHiiConfiguration.Psid, (CHAR8*)TmpBuf,=20
+ PSID_CHARACTER_STRING_END_LENGTH);
+  CopyMem (Psid.Psid, TmpBuf, PSID_CHARACTER_LENGTH);
=20
   OpalDisk =3D HiiGetOpalDiskCB (gHiiConfiguration.SelectedDiskIndex);
   if (OpalDisk !=3D NULL) {
diff --git a/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHiiFormValues.h b/Sec=
urityPkg/Tcg/Opal/OpalPasswordDxe/OpalHiiFormValues.h
index 138bcb8..88cf9f5 100644
--- a/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHiiFormValues.h
+++ b/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHiiFormValues.h
@@ -21,6 +21,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER=
 EXPRESS OR IMPLIED.
=20
 // PSID Length
 #define PSID_CHARACTER_LENGTH                              0x20
+#define PSID_CHARACTER_STRING_END_LENGTH                   0x21
=20
 // ID's for various forms that will be used by HII
 #define FORMID_VALUE_MAIN_MENU                             0x01
@@ -38,7 +39,7 @@ typedef struct {
     UINT8   KeepUserData;
     UINT16  AvailableFields;
     UINT16  Password[MAX_PASSWORD_CHARACTER_LENGTH];
-    UINT16  Psid[PSID_CHARACTER_LENGTH];
+    UINT16  Psid[PSID_CHARACTER_STRING_END_LENGTH];
     UINT8   EnableBlockSid;
 } OPAL_HII_CONFIGURATION;
 #pragma pack()
--
2.6.4.windows.1