From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mx.groups.io with SMTP id smtpd.web10.7636.1575597844334567783 for ; Thu, 05 Dec 2019 18:04:04 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: jiewen.yao@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Dec 2019 18:04:04 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,282,1571727600"; d="scan'208";a="236878264" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by fmsmga004.fm.intel.com with ESMTP; 05 Dec 2019 18:04:04 -0800 Received: from shsmsx108.ccr.corp.intel.com (10.239.4.97) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 5 Dec 2019 18:04:03 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.109]) by SHSMSX108.ccr.corp.intel.com ([169.254.8.46]) with mapi id 14.03.0439.000; Fri, 6 Dec 2019 10:04:02 +0800 From: "Yao, Jiewen" To: "Zhang, Shenglei" , "devel@edk2.groups.io" CC: "Wang, Jian J" , "Zhang, Chao B" Subject: Re: [PATCH] SecurityPkg/Tpm2Help.c: Add boundary check for array Thread-Topic: [PATCH] SecurityPkg/Tpm2Help.c: Add boundary check for array Thread-Index: AQHVq9drfziPosW3mE6WumYblpSmdaesWr/g Date: Fri, 6 Dec 2019 02:04:01 +0000 Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503F89095E@shsmsx102.ccr.corp.intel.com> References: <20191206014933.36648-1-shenglei.zhang@intel.com> In-Reply-To: <20191206014933.36648-1-shenglei.zhang@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYmQxNWNjMzYtZDlmYS00N2IyLWExMjMtNWViZGY0YWZmNDY4IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiXC8xQkcyUlhFT3dZXC9USkxZdFdVTllyWHVnc2NPK1BJb25xa1VUTlVpUWluVzlqbnlTczVrVk9CU01uWUYyd2ExIn0= x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jiewen.yao@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi May I know where is the data from? Trusted region or non-trusted region? I am thinking if we need use ASSERT to avoid user mistake. But want to check the API input assumption at first... > -----Original Message----- > From: Zhang, Shenglei > Sent: Friday, December 6, 2019 9:50 AM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Wang, Jian J ; > Zhang, Chao B > Subject: [PATCH] SecurityPkg/Tpm2Help.c: Add boundary check for array >=20 > Add 'Index < HASH_COUNT' to ensure things out of boundary > of digests[] can not be visited. >=20 > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Chao Zhang > Signed-off-by: Shenglei Zhang > --- > SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c > b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c > index 36c240d1221c..a7d4e3ab5373 100644 > --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c > +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c > @@ -299,7 +299,7 @@ GetDigestListSize ( > UINT32 TotalSize; >=20 > TotalSize =3D sizeof(DigestList->count); > - for (Index =3D 0; Index < DigestList->count; Index++) { > + for (Index =3D 0; Index < DigestList->count, Index < HASH_COUNT; Index= ++) { > DigestSize =3D GetHashSizeFromAlgo (DigestList->digests[Index].hashA= lg); > TotalSize +=3D sizeof(DigestList->digests[Index].hashAlg) + DigestSi= ze; > } > -- > 2.18.0.windows.1