From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web11.3561.1576479434649864329 for ; Sun, 15 Dec 2019 22:57:14 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: shenglei.zhang@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Dec 2019 22:57:14 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,320,1571727600"; d="scan'208";a="212132322" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by fmsmga008.fm.intel.com with ESMTP; 15 Dec 2019 22:57:14 -0800 Received: from fmsmsx112.amr.corp.intel.com (10.18.116.6) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.439.0; Sun, 15 Dec 2019 22:57:14 -0800 Received: from shsmsx105.ccr.corp.intel.com (10.239.4.158) by FMSMSX112.amr.corp.intel.com (10.18.116.6) with Microsoft SMTP Server (TLS) id 14.3.439.0; Sun, 15 Dec 2019 22:57:13 -0800 Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.90]) by SHSMSX105.ccr.corp.intel.com ([169.254.11.72]) with mapi id 14.03.0439.000; Mon, 16 Dec 2019 14:57:12 +0800 From: "Zhang, Shenglei" To: "Yao, Jiewen" , "devel@edk2.groups.io" CC: "Wang, Jian J" , "Zhang, Chao B" Subject: Re: [PATCH] SecurityPkg/Tpm2Help.c: Add boundary check for array Thread-Topic: [PATCH] SecurityPkg/Tpm2Help.c: Add boundary check for array Thread-Index: AQHVq9drfziPosW3mE6WumYblpSmdaesWr/ggBAIvzA= Date: Mon, 16 Dec 2019 06:57:11 +0000 Message-ID: References: <20191206014933.36648-1-shenglei.zhang@intel.com> <74D8A39837DF1E4DA445A8C0B3885C503F89095E@shsmsx102.ccr.corp.intel.com> In-Reply-To: <74D8A39837DF1E4DA445A8C0B3885C503F89095E@shsmsx102.ccr.corp.intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: shenglei.zhang@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable > -----Original Message----- > From: Yao, Jiewen > Sent: Friday, December 6, 2019 10:04 AM > To: Zhang, Shenglei ; devel@edk2.groups.io > Cc: Wang, Jian J ; Zhang, Chao B > > Subject: RE: [PATCH] SecurityPkg/Tpm2Help.c: Add boundary check for array >=20 > Hi > May I know where is the data from? Trusted region or non-trusted region? >=20 > I am thinking if we need use ASSERT to avoid user mistake. > But want to check the API input assumption at first... Hi Jiewen, I don't think DigestList->count can be trusted. We can add Index < HASH_COU= NT into the for(...) statement. Thanks, Shenglei >=20 >=20 >=20 > > -----Original Message----- > > From: Zhang, Shenglei > > Sent: Friday, December 6, 2019 9:50 AM > > To: devel@edk2.groups.io > > Cc: Yao, Jiewen ; Wang, Jian J > ; > > Zhang, Chao B > > Subject: [PATCH] SecurityPkg/Tpm2Help.c: Add boundary check for array > > > > Add 'Index < HASH_COUNT' to ensure things out of boundary > > of digests[] can not be visited. > > > > Cc: Jiewen Yao > > Cc: Jian J Wang > > Cc: Chao Zhang > > Signed-off-by: Shenglei Zhang > > --- > > SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c > > b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c > > index 36c240d1221c..a7d4e3ab5373 100644 > > --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c > > +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c > > @@ -299,7 +299,7 @@ GetDigestListSize ( > > UINT32 TotalSize; > > > > TotalSize =3D sizeof(DigestList->count); > > - for (Index =3D 0; Index < DigestList->count; Index++) { > > + for (Index =3D 0; Index < DigestList->count, Index < HASH_COUNT; Ind= ex++) > { > > DigestSize =3D GetHashSizeFromAlgo (DigestList->digests[Index].has= hAlg); > > TotalSize +=3D sizeof(DigestList->digests[Index].hashAlg) + Digest= Size; > > } > > -- > > 2.18.0.windows.1