From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.100; helo=mga07.intel.com; envelope-from=jiewen.yao@intel.com; receiver=edk2-devel@lists.01.org Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id CDCDA225E9657 for ; Tue, 20 Mar 2018 23:32:44 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Mar 2018 23:39:14 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,338,1517904000"; d="scan'208";a="29876766" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by fmsmga002.fm.intel.com with ESMTP; 20 Mar 2018 23:39:14 -0700 Received: from fmsmsx119.amr.corp.intel.com (10.18.124.207) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 20 Mar 2018 23:39:14 -0700 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by FMSMSX119.amr.corp.intel.com (10.18.124.207) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 20 Mar 2018 23:39:13 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.80]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.166]) with mapi id 14.03.0319.002; Wed, 21 Mar 2018 14:39:11 +0800 From: "Yao, Jiewen" To: "Zhang, Chao B" , "Long, Qin" , "edk2-devel@lists.01.org" Thread-Topic: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow Thread-Index: AQHTwCZ2wL6+AWUrg0OMeKzK/yIG8qPZek6AgAABo4CAAL1aQA== Date: Wed, 21 Mar 2018 06:39:10 +0000 Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503AB09A1B@shsmsx102.ccr.corp.intel.com> References: <20180320083533.26316-1-chao.b.zhang@intel.com> In-Reply-To: Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZDExZTQ0NjctZjAwNC00YzdjLWI3YTktYTc4YTAxMTMzZDgzIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjIuNS4xOCIsIlRydXN0ZWRMYWJlbEhhc2giOiJmb3VWekZJVXljWks4UXB0UG1rbVpMSGNIMjlBN296V2psWHZ6SFZLS2hWQzB3NTZxZU9jNkNmT1hZM0pUZW1hIn0= x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.0.116 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2018 06:32:46 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Some thought: 1) Would you please add debug message on every error check you added? Just = like the original code does. 2) For below, can we separate the check, and add error message for each fai= lure? Tpm2Integrity.c: if (PcrSelectionOut->count > HASH_COUNT || RecvBufferSize < sizeof (TPM2_= RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.= PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]= ) * PcrSelectionOut->count) { DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - Digests->count -%x or RecvBufferSiz= e Error - %x\n", PcrSelectionOut->count, RecvBufferSize)); return EFI_DEVICE_ERROR; } 3) For below, can we separate the check, and add error message for each fai= lure? Tpm2NvStorage.c if (NvNameSize > sizeof(TPMU_NAME) || (RecvBufferSize !=3D sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + = NvPublicSize + sizeof(UINT16) + NvNameSize)) { DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error - NvPubli= cSize %x, NvNameSize %x\n", RecvBufferSize, NvNameSize)); return EFI_NOT_FOUND; } 4) Do you think if we need add check for nonce.size below as well? Tpm2Help.c // nonce AuthSessionOut->nonce.size =3D SwapBytes16 (ReadUnaligned16 ((UINT16 *)Bu= ffer)); Buffer +=3D sizeof(UINT16); CopyMem (AuthSessionOut->nonce.buffer, Buffer, AuthSessionOut->nonce.size= ); Buffer +=3D AuthSessionOut->nonce.size; Thank you Yao Jiewen > -----Original Message----- > From: Zhang, Chao B > Sent: Wednesday, March 21, 2018 11:03 AM > To: Long, Qin ; edk2-devel@lists.01.org > Cc: Yao, Jiewen > Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response > memory overflow >=20 > Thanks Qin, I will add more comments to explain the magic code >=20 > -----Original Message----- > From: Long, Qin > Sent: Wednesday, March 21, 2018 10:58 AM > To: Zhang, Chao B ; edk2-devel@lists.01.org > Cc: Yao, Jiewen > Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response > memory overflow >=20 > Hi, Chao, >=20 > One minor suggestion to add the comment to explain the following value "8= ": the > number of digests in list is not greater than 8 per TPML_DIGEST definitio= n. > + if (PcrValues->count > 8) { > + return EFI_DEVICE_ERROR; > + } >=20 > Other looks good to me. >=20 > Reviewed-by: Long Qin >=20 >=20 > Best Regards & Thanks, > LONG, Qin >=20 > -----Original Message----- > From: Zhang, Chao B > Sent: Tuesday, March 20, 2018 4:36 PM > To: edk2-devel@lists.01.org > Cc: Long, Qin ; Yao, Jiewen ; > Zhang, Chao B > Subject: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory > overflow >=20 > TPM2.0 command lib always assumes TPM device and transmission channel can > respond correctly. But it is not true when communication channel is explo= ited > and wrong data is spoofed. Add more logic to prohibit memory overflow att= ack. >=20 > Cc: Long Qin > Cc: Yao Jiewen > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Chao Zhang > Signed-off-by: Zhang, Chao B > --- > .../Library/Tpm2CommandLib/Tpm2Capability.c | 21 > ++++++++++++++- > .../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 16 ++++++++++- > SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 19 ++++++++++--- > SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 14 ++++++++-- > SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c | 31 > +++++++++++++++++++++- > SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c | 10 ++++++- > SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c | 6 ++++- > 7 files changed, 107 insertions(+), 10 deletions(-) >=20 > diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c > b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c > index 79e80fb7a9..42afe107a6 100644 > --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c > +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c > @@ -1,9 +1,9 @@ > /** @file > Implement TPM2 Capability related command. >=20 > -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
> +Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
> This program and the accompanying materials are licensed and made > available under the terms and conditions of the BSD License which > accompanies this distribution. The full text of the license may be found= at > http://opensource.org/licenses/bsd-license.php >=20 > @@ -110,10 +110,18 @@ Tpm2GetCapability ( >=20 > if (RecvBufferSize <=3D sizeof (TPM2_RESPONSE_HEADER) + sizeof (UINT8)= ) { > return EFI_DEVICE_ERROR; > } >=20 > + // > + // Fail if command failed > + // > + if (SwapBytes32(RecvBuffer.Header.responseCode) !=3D TPM_RC_SUCCESS) { > + DEBUG ((EFI_D_ERROR, "Tpm2GetCapability: Response Code error! > 0x%08x\r\n", SwapBytes32(RecvBuffer.Header.responseCode))); > + return EFI_DEVICE_ERROR; > + } > + > // > // Return the response > // > *MoreData =3D RecvBuffer.MoreData; > // > @@ -327,10 +335,14 @@ Tpm2GetCapabilitySupportedAlg ( > } >=20 > CopyMem (AlgList, &TpmCap.data.algorithms, sizeof > (TPML_ALG_PROPERTY)); >=20 > AlgList->count =3D SwapBytes32 (AlgList->count); > + if (AlgList->count > MAX_CAP_ALGS) { > + return EFI_DEVICE_ERROR; > + } > + > for (Index =3D 0; Index < AlgList->count; Index++) { > AlgList->algProperties[Index].alg =3D SwapBytes16 > (AlgList->algProperties[Index].alg); > WriteUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].algProper= ties, > SwapBytes32 (ReadUnaligned32 ((UINT32 > *)&AlgList->algProperties[Index].algProperties))); > } >=20 > @@ -474,13 +486,20 @@ Tpm2GetCapabilityPcrs ( > if (EFI_ERROR (Status)) { > return Status; > } >=20 > Pcrs->count =3D SwapBytes32 (TpmCap.data.assignedPCR.count); > + if (Pcrs->count > HASH_COUNT) { > + return EFI_DEVICE_ERROR; > + } > + > for (Index =3D 0; Index < Pcrs->count; Index++) { > Pcrs->pcrSelections[Index].hash =3D SwapBytes16 > (TpmCap.data.assignedPCR.pcrSelections[Index].hash); > Pcrs->pcrSelections[Index].sizeofSelect =3D > TpmCap.data.assignedPCR.pcrSelections[Index].sizeofSelect; > + if (Pcrs->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) { > + return EFI_DEVICE_ERROR; > + } > CopyMem (Pcrs->pcrSelections[Index].pcrSelect, > TpmCap.data.assignedPCR.pcrSelections[Index].pcrSelect, > Pcrs->pcrSelections[Index].sizeofSelect); > } >=20 > return EFI_SUCCESS; > } > diff --git > a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c > b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c > index 6f6b3693f8..3e42875b83 100644 > --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c > +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c > @@ -1,9 +1,9 @@ > /** @file > Implement TPM2 EnhancedAuthorization related command. >=20 > -Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved.
> +Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved.
> This program and the accompanying materials are licensed and made > available under the terms and conditions of the BSD License which > accompanies this distribution. The full text of the license may be found= at > http://opensource.org/licenses/bsd-license.php >=20 > @@ -178,19 +178,29 @@ Tpm2PolicySecret ( > // > // Return the response > // > Buffer =3D (UINT8 *)&RecvBuffer.Timeout; > Timeout->size =3D SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer)); > + if (Timeout->size > sizeof(UINT64)) { > + Status =3D EFI_DEVICE_ERROR; > + goto Done; > + } > + > Buffer +=3D sizeof(UINT16); > CopyMem (Timeout->buffer, Buffer, Timeout->size); >=20 > PolicyTicket->tag =3D SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer)); > Buffer +=3D sizeof(UINT16); > PolicyTicket->hierarchy =3D SwapBytes32(ReadUnaligned32 ((UINT32 > *)Buffer)); > Buffer +=3D sizeof(UINT32); > PolicyTicket->digest.size =3D SwapBytes16(ReadUnaligned16 ((UINT16 > *)Buffer)); > Buffer +=3D sizeof(UINT16); > + if (PolicyTicket->digest.size > sizeof(TPMU_HA)) { > + Status =3D EFI_DEVICE_ERROR; > + goto Done; > + } > + > CopyMem (PolicyTicket->digest.buffer, Buffer, PolicyTicket->digest.siz= e); >=20 > Done: > // > // Clear AuthSession Content > @@ -377,9 +387,13 @@ Tpm2PolicyGetDigest ( >=20 > // > // Return the response > // > PolicyHash->size =3D SwapBytes16 (RecvBuffer.PolicyHash.size); > + if (PolicyHash->size > sizeof(TPMU_HA)) { > + return EFI_DEVICE_ERROR; > + } > + > CopyMem (PolicyHash->buffer, &RecvBuffer.PolicyHash.buffer, > PolicyHash->size); >=20 > return EFI_SUCCESS; > } > diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c > b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c > index 8eacfe6c13..9c0b70dd93 100644 > --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c > +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c > @@ -1,9 +1,9 @@ > /** @file > Implement TPM2 Integrity related command. >=20 > -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
> +Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
> This program and the accompanying materials are licensed and made > available under the terms and conditions of the BSD License which > accompanies this distribution. The full text of the license may be found= at > http://opensource.org/licenses/bsd-license.php >=20 > @@ -277,10 +277,14 @@ Tpm2PcrEvent ( > // Unmarshal the response > // > Buffer =3D (UINT8 *)&Res.Digests; >=20 > Digests->count =3D SwapBytes32 (ReadUnaligned32 ((UINT32 *)Buffer)); > + if (Digests->count > HASH_COUNT) { > + return EFI_DEVICE_ERROR; > + } > + > Buffer +=3D sizeof(UINT32); > for (Index =3D 0; Index < Digests->count; Index++) { > Digests->digests[Index].hashAlg =3D SwapBytes16 (ReadUnaligned16 > ((UINT16 *)Buffer)); > Buffer +=3D sizeof(UINT16); > DigestSize =3D GetHashSizeFromAlgo (Digests->digests[Index].hashAlg)= ; > @@ -381,28 +385,37 @@ Tpm2PcrRead ( > if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + > sizeof(RecvBuffer.PcrUpdateCounter) + > sizeof(RecvBuffer.PcrSelectionOut.count)) { > DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n", > RecvBufferSize)); > return EFI_DEVICE_ERROR; > } > PcrSelectionOut->count =3D SwapBytes32(RecvBuffer.PcrSelectionOut.coun= t); > - if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + > sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.c= ount) > + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->= count) > { > - DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n", > RecvBufferSize)); > + if (PcrSelectionOut->count > HASH_COUNT || RecvBufferSize < sizeof > (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + > sizeof(RecvBuffer.PcrSelectionOut.count) + > sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->co= unt) { > + DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - Digests->count -%x or > + RecvBufferSize Error - %x\n", PcrSelectionOut->count, > + RecvBufferSize)); > return EFI_DEVICE_ERROR; > } > for (Index =3D 0; Index < PcrSelectionOut->count; Index++) { > PcrSelectionOut->pcrSelections[Index].hash =3D > SwapBytes16(RecvBuffer.PcrSelectionOut.pcrSelections[Index].hash); > PcrSelectionOut->pcrSelections[Index].sizeofSelect =3D > RecvBuffer.PcrSelectionOut.pcrSelections[Index].sizeofSelect; > + if (PcrSelectionOut->pcrSelections[Index].sizeofSelect > PCR_SELECT_= MAX) > { > + return EFI_DEVICE_ERROR; > + } > CopyMem (&PcrSelectionOut->pcrSelections[Index].pcrSelect, > &RecvBuffer.PcrSelectionOut.pcrSelections[Index].pcrSelect, > PcrSelectionOut->pcrSelections[Index].sizeofSelect); > } >=20 > // > // PcrValues > // > PcrValuesOut =3D (TPML_DIGEST *)((UINT8 *)&RecvBuffer + sizeof > (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + > sizeof(RecvBuffer.PcrSelectionOut.count) + > sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->co= unt); > PcrValues->count =3D SwapBytes32(PcrValuesOut->count); > + if (PcrValues->count > 8) { > + return EFI_DEVICE_ERROR; > + } > Digests =3D PcrValuesOut->digests; > for (Index =3D 0; Index < PcrValues->count; Index++) { > PcrValues->digests[Index].size =3D SwapBytes16(Digests->size); > + if (PcrValues->digests[Index].size > sizeof(TPMU_HA)) { > + return EFI_DEVICE_ERROR; > + } > CopyMem (&PcrValues->digests[Index].buffer, &Digests->buffer, > PcrValues->digests[Index].size); > Digests =3D (TPM2B_DIGEST *)((UINT8 *)Digests + sizeof(Digests->size= ) + > PcrValues->digests[Index].size); > } >=20 > return EFI_SUCCESS; > diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c > b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c > index 9508022132..2b87260764 100644 > --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c > +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c > @@ -1,9 +1,9 @@ > /** @file > Implement TPM2 NVStorage related command. >=20 > -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
> +Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
> This program and the accompanying materials are licensed and made > available under the terms and conditions of the BSD License which > accompanies this distribution. The full text of the license may be found= at > http://opensource.org/licenses/bsd-license.php >=20 > @@ -232,13 +232,18 @@ Tpm2NvReadPublic ( >=20 > // > // Basic check > // > NvPublicSize =3D SwapBytes16 (RecvBuffer.NvPublic.size); > + if (NvPublicSize > sizeof(TPMS_NV_PUBLIC)) { > + return EFI_DEVICE_ERROR; > + } > + > NvNameSize =3D SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 > *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + > NvPublicSize))); >=20 > - if (RecvBufferSize !=3D sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) = + > NvPublicSize + sizeof(UINT16) + NvNameSize) { > + if (NvNameSize > sizeof(TPMU_NAME) || > + (RecvBufferSize !=3D sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) > + + NvPublicSize + sizeof(UINT16) + NvNameSize)) { > DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error - > NvPublicSize %x, NvNameSize %x\n", RecvBufferSize, NvNameSize)); > return EFI_NOT_FOUND; > } >=20 > // > @@ -630,10 +635,15 @@ Tpm2NvRead ( >=20 > // > // Return the response > // > OutData->size =3D SwapBytes16 (RecvBuffer.Data.size); > + if (OutData->size > MAX_DIGEST_BUFFER) { > + Status =3D EFI_DEVICE_ERROR; > + goto Done; > + } > + > CopyMem (OutData->buffer, &RecvBuffer.Data.buffer, OutData->size); >=20 > Done: > // > // Clear AuthSession Content > diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c > b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c > index e070ff2f74..e9f693b65d 100644 > --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c > +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c > @@ -1,9 +1,9 @@ > /** @file > Implement TPM2 Object related command. >=20 > -Copyright (c) 2017, Intel Corporation. All rights reserved.
> +Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.
> This program and the accompanying materials are licensed and made > available under the terms and conditions of the BSD License which > accompanies this distribution. The full text of the license may be found= at > http://opensource.org/licenses/bsd-license.php >=20 > @@ -107,15 +107,26 @@ Tpm2ReadPublic ( >=20 > // > // Basic check > // > OutPublicSize =3D SwapBytes16 (RecvBuffer.OutPublic.size); > + if (OutPublicSize > sizeof(TPMT_PUBLIC)) { > + return EFI_DEVICE_ERROR; > + } > + > NameSize =3D SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 > *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) + > sizeof(UINT16) + OutPublicSize))); > + if (NameSize > sizeof(TPMU_NAME)) { > + return EFI_DEVICE_ERROR; > + } > + > QualifiedNameSize =3D SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 > *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) + > sizeof(UINT16) + OutPublicSize + > sizeof(UINT16) + NameSize))); > + if (QualifiedNameSize > sizeof(TPMU_NAME)) { > + return EFI_DEVICE_ERROR; > + } >=20 > if (RecvBufferSize !=3D sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) = + > OutPublicSize + sizeof(UINT16) + NameSize + sizeof(UINT16) + > QualifiedNameSize) { > DEBUG ((DEBUG_ERROR, "Tpm2ReadPublic - RecvBufferSize %x Error - > OutPublicSize %x, NameSize %x, QualifiedNameSize %x\n", RecvBufferSize, > OutPublicSize, NameSize, QualifiedNameSize)); > return EFI_DEVICE_ERROR; > } > @@ -130,10 +141,13 @@ Tpm2ReadPublic ( > OutPublic->publicArea.nameAlg =3D SwapBytes16 > (OutPublic->publicArea.nameAlg); > WriteUnaligned32 ((UINT32 *)&OutPublic->publicArea.objectAttributes, > SwapBytes32 (ReadUnaligned32 ((UINT32 > *)&OutPublic->publicArea.objectAttributes))); > Buffer =3D (UINT8 *)&RecvBuffer.OutPublic.publicArea.authPolicy; > OutPublic->publicArea.authPolicy.size =3D SwapBytes16 (ReadUnaligned16 > ((UINT16 *)Buffer)); > Buffer +=3D sizeof(UINT16); > + if (OutPublic->publicArea.authPolicy.size > sizeof(TPMU_HA)) { > + return EFI_DEVICE_ERROR; > + } > CopyMem (OutPublic->publicArea.authPolicy.buffer, Buffer, > OutPublic->publicArea.authPolicy.size); > Buffer +=3D OutPublic->publicArea.authPolicy.size; >=20 > // TPMU_PUBLIC_PARMS > switch (OutPublic->publicArea.type) { @@ -305,32 +319,47 @@ > Tpm2ReadPublic ( > // TPMU_PUBLIC_ID > switch (OutPublic->publicArea.type) { > case TPM_ALG_KEYEDHASH: > OutPublic->publicArea.unique.keyedHash.size =3D SwapBytes16 > (ReadUnaligned16 ((UINT16 *)Buffer)); > Buffer +=3D sizeof(UINT16); > + if(OutPublic->publicArea.unique.keyedHash.size > sizeof(TPMU_HA)) { > + return EFI_DEVICE_ERROR; > + } > CopyMem (OutPublic->publicArea.unique.keyedHash.buffer, Buffer, > OutPublic->publicArea.unique.keyedHash.size); > Buffer +=3D OutPublic->publicArea.unique.keyedHash.size; > break; > case TPM_ALG_SYMCIPHER: > OutPublic->publicArea.unique.sym.size =3D SwapBytes16 (ReadUnaligned= 16 > ((UINT16 *)Buffer)); > Buffer +=3D sizeof(UINT16); > + if(OutPublic->publicArea.unique.sym.size > sizeof(TPMU_HA)) { > + return EFI_DEVICE_ERROR; > + } > CopyMem (OutPublic->publicArea.unique.sym.buffer, Buffer, > OutPublic->publicArea.unique.sym.size); > Buffer +=3D OutPublic->publicArea.unique.sym.size; > break; > case TPM_ALG_RSA: > OutPublic->publicArea.unique.rsa.size =3D SwapBytes16 (ReadUnaligned= 16 > ((UINT16 *)Buffer)); > Buffer +=3D sizeof(UINT16); > + if(OutPublic->publicArea.unique.rsa.size > MAX_RSA_KEY_BYTES) { > + return EFI_DEVICE_ERROR; > + } > CopyMem (OutPublic->publicArea.unique.rsa.buffer, Buffer, > OutPublic->publicArea.unique.rsa.size); > Buffer +=3D OutPublic->publicArea.unique.rsa.size; > break; > case TPM_ALG_ECC: > OutPublic->publicArea.unique.ecc.x.size =3D SwapBytes16 > (ReadUnaligned16 ((UINT16 *)Buffer)); > Buffer +=3D sizeof(UINT16); > + if (OutPublic->publicArea.unique.ecc.x.size > MAX_ECC_KEY_BYTES) { > + return EFI_DEVICE_ERROR; > + } > CopyMem (OutPublic->publicArea.unique.ecc.x.buffer, Buffer, > OutPublic->publicArea.unique.ecc.x.size); > Buffer +=3D OutPublic->publicArea.unique.ecc.x.size; > OutPublic->publicArea.unique.ecc.y.size =3D SwapBytes16 (ReadUnalign= ed16 > ((UINT16 *)Buffer)); > Buffer +=3D sizeof(UINT16); > + if (OutPublic->publicArea.unique.ecc.y.size > MAX_ECC_KEY_BYTES) { > + return EFI_DEVICE_ERROR; > + } > CopyMem (OutPublic->publicArea.unique.ecc.y.buffer, Buffer, > OutPublic->publicArea.unique.ecc.y.size); > Buffer +=3D OutPublic->publicArea.unique.ecc.y.size; > break; > default: > return EFI_UNSUPPORTED; > diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c > b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c > index 305b6f2078..68a445bafc 100644 > --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c > +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c > @@ -1,9 +1,9 @@ > /** @file > Implement TPM2 Sequences related command. >=20 > -Copyright (c) 2013, Intel Corporation. All rights reserved.
> +Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
> This program and the accompanying materials are licensed and made > available under the terms and conditions of the BSD License which > accompanies this distribution. The full text of the license may be found= at > http://opensource.org/licenses/bsd-license.php >=20 > @@ -373,10 +373,14 @@ Tpm2EventSequenceComplete ( >=20 > BufferPtr =3D (UINT8 *)&Res.Results; >=20 > // count > Results->count =3D SwapBytes32(ReadUnaligned32 ((UINT32 *)BufferPtr)); > + if (Results->count > HASH_COUNT) { > + return EFI_DEVICE_ERROR; > + } > + > BufferPtr +=3D sizeof(UINT32); >=20 > for (Index =3D 0; Index < Results->count; Index++) { > Results->digests[Index].hashAlg =3D SwapBytes16(ReadUnaligned16 > ((UINT16 *)BufferPtr)); > BufferPtr +=3D sizeof(UINT16); > @@ -494,10 +498,14 @@ Tpm2SequenceComplete ( >=20 > BufferPtr =3D (UINT8 *)&Res.Digest; >=20 > // digestSize > Result->size =3D SwapBytes16(ReadUnaligned16 ((UINT16 *)BufferPtr)); > + if (Result->size > sizeof(TPMU_HA)){ > + return EFI_DEVICE_ERROR; > + } > + > BufferPtr +=3D sizeof(UINT16); >=20 > CopyMem( > Result->buffer, > BufferPtr, > diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c > b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c > index f03b6689ac..0c9b310e54 100644 > --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c > +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c > @@ -1,9 +1,9 @@ > /** @file > Implement TPM2 Session related command. >=20 > -Copyright (c) 2014, Intel Corporation. All rights reserved.
> +Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved.
> This program and the accompanying materials are licensed and made > available under the terms and conditions of the BSD License which > accompanies this distribution. The full text of the license may be found= at > http://opensource.org/licenses/bsd-license.php >=20 > @@ -161,9 +161,13 @@ Tpm2StartAuthSession ( > // > // Return the response > // > *SessionHandle =3D SwapBytes32 (RecvBuffer.SessionHandle); > NonceTPM->size =3D SwapBytes16 (RecvBuffer.NonceTPM.size); > + if (NonceTPM->size > sizeof(TPMU_HA)) { > + return EFI_DEVICE_ERROR; > + } > + > CopyMem (NonceTPM->buffer, &RecvBuffer.NonceTPM.buffer, > NonceTPM->size); >=20 > return EFI_SUCCESS; > } > -- > 2.16.2.windows.1