From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by ml01.01.org (Postfix) with ESMTP id 2C36E1A1E18 for ; Tue, 2 Aug 2016 17:43:34 -0700 (PDT) Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga103.jf.intel.com with ESMTP; 02 Aug 2016 17:43:33 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.28,463,1464678000"; d="scan'208";a="858614925" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by orsmga003.jf.intel.com with ESMTP; 02 Aug 2016 17:43:31 -0700 Received: from fmsmsx122.amr.corp.intel.com (10.18.125.37) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.248.2; Tue, 2 Aug 2016 17:43:30 -0700 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by fmsmsx122.amr.corp.intel.com (10.18.125.37) with Microsoft SMTP Server (TLS) id 14.3.248.2; Tue, 2 Aug 2016 17:43:31 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.147]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.150]) with mapi id 14.03.0248.002; Wed, 3 Aug 2016 08:43:28 +0800 From: "Zeng, Star" To: "Dong, Eric" , "edk2-devel@lists.01.org" Thread-Topic: [Patch] SecurityPkg OpalPasswordDxe: Fix buffer overflow issue. Thread-Index: AQHR7LGcnfVNRZ+trkOWfKUF8JBxgKA2ZqGA Date: Wed, 3 Aug 2016 00:43:28 +0000 Message-ID: <0C09AFA07DD0434D9E2A0C6AEB048310036A019E@shsmsx102.ccr.corp.intel.com> References: <1470137550-65284-1-git-send-email-eric.dong@intel.com> In-Reply-To: <1470137550-65284-1-git-send-email-eric.dong@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [Patch] SecurityPkg OpalPasswordDxe: Fix buffer overflow issue. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2016 00:43:34 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Star Zeng -----Original Message----- From: Dong, Eric=20 Sent: Tuesday, August 2, 2016 7:33 PM To: edk2-devel@lists.01.org Cc: Zeng, Star Subject: [Patch] SecurityPkg OpalPasswordDxe: Fix buffer overflow issue. In current code, PSID is processed as string and the length is 0x20. Current code only reserved 0x20 length buffer for it, no extra buffer for t= he '\0'. When driver call UnicodeStrToAsciiStrS to convert PSID, it search = the '\0' for the end. So extra dirty data saved in PSID info which caused P= SID revert action failed. This patch reserved extra 1 byte data for the '\0= '. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong Cc: Star Zeng --- SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHii.c | 5 ++++- SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHiiFormValues.h | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHii.c b/SecurityPkg/T= cg/Opal/OpalPasswordDxe/OpalHii.c index 9a44c56..ee73697 100644 --- a/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHii.c +++ b/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHii.c @@ -595,12 +595,15 @@ HiiPsidRevert( OPAL_DISK *OpalDisk; TCG_RESULT Ret; OPAL_SESSION Session; + UINT8 TmpBuf[PSID_CHARACTER_STRING_END_LENGTH]; =20 Ret =3D TcgResultFailure; =20 OpalHiiGetBrowserData(); =20 - UnicodeStrToAsciiStrS (gHiiConfiguration.Psid, (CHAR8*)Psid.Psid, PSID_C= HARACTER_LENGTH); + ZeroMem (TmpBuf, sizeof (TmpBuf)); + UnicodeStrToAsciiStrS (gHiiConfiguration.Psid, (CHAR8*)TmpBuf,=20 + PSID_CHARACTER_STRING_END_LENGTH); + CopyMem (Psid.Psid, TmpBuf, PSID_CHARACTER_LENGTH); =20 OpalDisk =3D HiiGetOpalDiskCB (gHiiConfiguration.SelectedDiskIndex); if (OpalDisk !=3D NULL) { diff --git a/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHiiFormValues.h b/Sec= urityPkg/Tcg/Opal/OpalPasswordDxe/OpalHiiFormValues.h index 138bcb8..88cf9f5 100644 --- a/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHiiFormValues.h +++ b/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalHiiFormValues.h @@ -21,6 +21,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER= EXPRESS OR IMPLIED. =20 // PSID Length #define PSID_CHARACTER_LENGTH 0x20 +#define PSID_CHARACTER_STRING_END_LENGTH 0x21 =20 // ID's for various forms that will be used by HII #define FORMID_VALUE_MAIN_MENU 0x01 @@ -38,7 +39,7 @@ typedef struct { UINT8 KeepUserData; UINT16 AvailableFields; UINT16 Password[MAX_PASSWORD_CHARACTER_LENGTH]; - UINT16 Psid[PSID_CHARACTER_LENGTH]; + UINT16 Psid[PSID_CHARACTER_STRING_END_LENGTH]; UINT8 EnableBlockSid; } OPAL_HII_CONFIGURATION; #pragma pack() -- 2.6.4.windows.1