* [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow
@ 2018-03-20 8:35 Zhang, Chao B
2018-03-21 2:57 ` Long, Qin
0 siblings, 1 reply; 5+ messages in thread
From: Zhang, Chao B @ 2018-03-20 8:35 UTC (permalink / raw)
To: edk2-devel; +Cc: Long Qin, Yao Jiewen, Chao Zhang
TPM2.0 command lib always assumes TPM device and transmission channel can
respond correctly. But it is not true when communication channel is exploited
and wrong data is spoofed. Add more logic to prohibit memory overflow attack.
Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Zhang, Chao B <chao.b.zhang@intel.com>
---
.../Library/Tpm2CommandLib/Tpm2Capability.c | 21 ++++++++++++++-
.../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 16 ++++++++++-
SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 19 ++++++++++---
SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 14 ++++++++--
SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c | 31 +++++++++++++++++++++-
SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c | 10 ++++++-
SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c | 6 ++++-
7 files changed, 107 insertions(+), 10 deletions(-)
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
index 79e80fb7a9..42afe107a6 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 Capability related command.
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
@@ -110,10 +110,18 @@ Tpm2GetCapability (
if (RecvBufferSize <= sizeof (TPM2_RESPONSE_HEADER) + sizeof (UINT8)) {
return EFI_DEVICE_ERROR;
}
+ //
+ // Fail if command failed
+ //
+ if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {
+ DEBUG ((EFI_D_ERROR, "Tpm2GetCapability: Response Code error! 0x%08x\r\n", SwapBytes32(RecvBuffer.Header.responseCode)));
+ return EFI_DEVICE_ERROR;
+ }
+
//
// Return the response
//
*MoreData = RecvBuffer.MoreData;
//
@@ -327,10 +335,14 @@ Tpm2GetCapabilitySupportedAlg (
}
CopyMem (AlgList, &TpmCap.data.algorithms, sizeof (TPML_ALG_PROPERTY));
AlgList->count = SwapBytes32 (AlgList->count);
+ if (AlgList->count > MAX_CAP_ALGS) {
+ return EFI_DEVICE_ERROR;
+ }
+
for (Index = 0; Index < AlgList->count; Index++) {
AlgList->algProperties[Index].alg = SwapBytes16 (AlgList->algProperties[Index].alg);
WriteUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].algProperties, SwapBytes32 (ReadUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].algProperties)));
}
@@ -474,13 +486,20 @@ Tpm2GetCapabilityPcrs (
if (EFI_ERROR (Status)) {
return Status;
}
Pcrs->count = SwapBytes32 (TpmCap.data.assignedPCR.count);
+ if (Pcrs->count > HASH_COUNT) {
+ return EFI_DEVICE_ERROR;
+ }
+
for (Index = 0; Index < Pcrs->count; Index++) {
Pcrs->pcrSelections[Index].hash = SwapBytes16 (TpmCap.data.assignedPCR.pcrSelections[Index].hash);
Pcrs->pcrSelections[Index].sizeofSelect = TpmCap.data.assignedPCR.pcrSelections[Index].sizeofSelect;
+ if (Pcrs->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (Pcrs->pcrSelections[Index].pcrSelect, TpmCap.data.assignedPCR.pcrSelections[Index].pcrSelect, Pcrs->pcrSelections[Index].sizeofSelect);
}
return EFI_SUCCESS;
}
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
index 6f6b3693f8..3e42875b83 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 EnhancedAuthorization related command.
-Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
@@ -178,19 +178,29 @@ Tpm2PolicySecret (
//
// Return the response
//
Buffer = (UINT8 *)&RecvBuffer.Timeout;
Timeout->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));
+ if (Timeout->size > sizeof(UINT64)) {
+ Status = EFI_DEVICE_ERROR;
+ goto Done;
+ }
+
Buffer += sizeof(UINT16);
CopyMem (Timeout->buffer, Buffer, Timeout->size);
PolicyTicket->tag = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
PolicyTicket->hierarchy = SwapBytes32(ReadUnaligned32 ((UINT32 *)Buffer));
Buffer += sizeof(UINT32);
PolicyTicket->digest.size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if (PolicyTicket->digest.size > sizeof(TPMU_HA)) {
+ Status = EFI_DEVICE_ERROR;
+ goto Done;
+ }
+
CopyMem (PolicyTicket->digest.buffer, Buffer, PolicyTicket->digest.size);
Done:
//
// Clear AuthSession Content
@@ -377,9 +387,13 @@ Tpm2PolicyGetDigest (
//
// Return the response
//
PolicyHash->size = SwapBytes16 (RecvBuffer.PolicyHash.size);
+ if (PolicyHash->size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
+
CopyMem (PolicyHash->buffer, &RecvBuffer.PolicyHash.buffer, PolicyHash->size);
return EFI_SUCCESS;
}
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
index 8eacfe6c13..9c0b70dd93 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 Integrity related command.
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
@@ -277,10 +277,14 @@ Tpm2PcrEvent (
// Unmarshal the response
//
Buffer = (UINT8 *)&Res.Digests;
Digests->count = SwapBytes32 (ReadUnaligned32 ((UINT32 *)Buffer));
+ if (Digests->count > HASH_COUNT) {
+ return EFI_DEVICE_ERROR;
+ }
+
Buffer += sizeof(UINT32);
for (Index = 0; Index < Digests->count; Index++) {
Digests->digests[Index].hashAlg = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
DigestSize = GetHashSizeFromAlgo (Digests->digests[Index].hashAlg);
@@ -381,28 +385,37 @@ Tpm2PcrRead (
if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count)) {
DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n", RecvBufferSize));
return EFI_DEVICE_ERROR;
}
PcrSelectionOut->count = SwapBytes32(RecvBuffer.PcrSelectionOut.count);
- if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) {
- DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n", RecvBufferSize));
+ if (PcrSelectionOut->count > HASH_COUNT || RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) {
+ DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - Digests->count -%x or RecvBufferSize Error - %x\n", PcrSelectionOut->count, RecvBufferSize));
return EFI_DEVICE_ERROR;
}
for (Index = 0; Index < PcrSelectionOut->count; Index++) {
PcrSelectionOut->pcrSelections[Index].hash = SwapBytes16(RecvBuffer.PcrSelectionOut.pcrSelections[Index].hash);
PcrSelectionOut->pcrSelections[Index].sizeofSelect = RecvBuffer.PcrSelectionOut.pcrSelections[Index].sizeofSelect;
+ if (PcrSelectionOut->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (&PcrSelectionOut->pcrSelections[Index].pcrSelect, &RecvBuffer.PcrSelectionOut.pcrSelections[Index].pcrSelect, PcrSelectionOut->pcrSelections[Index].sizeofSelect);
}
//
// PcrValues
//
PcrValuesOut = (TPML_DIGEST *)((UINT8 *)&RecvBuffer + sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count);
PcrValues->count = SwapBytes32(PcrValuesOut->count);
+ if (PcrValues->count > 8) {
+ return EFI_DEVICE_ERROR;
+ }
Digests = PcrValuesOut->digests;
for (Index = 0; Index < PcrValues->count; Index++) {
PcrValues->digests[Index].size = SwapBytes16(Digests->size);
+ if (PcrValues->digests[Index].size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (&PcrValues->digests[Index].buffer, &Digests->buffer, PcrValues->digests[Index].size);
Digests = (TPM2B_DIGEST *)((UINT8 *)Digests + sizeof(Digests->size) + PcrValues->digests[Index].size);
}
return EFI_SUCCESS;
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
index 9508022132..2b87260764 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 NVStorage related command.
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
@@ -232,13 +232,18 @@ Tpm2NvReadPublic (
//
// Basic check
//
NvPublicSize = SwapBytes16 (RecvBuffer.NvPublic.size);
+ if (NvPublicSize > sizeof(TPMS_NV_PUBLIC)) {
+ return EFI_DEVICE_ERROR;
+ }
+
NvNameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + NvPublicSize)));
- if (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + NvPublicSize + sizeof(UINT16) + NvNameSize) {
+ if (NvNameSize > sizeof(TPMU_NAME) ||
+ (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + NvPublicSize + sizeof(UINT16) + NvNameSize)) {
DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error - NvPublicSize %x, NvNameSize %x\n", RecvBufferSize, NvNameSize));
return EFI_NOT_FOUND;
}
//
@@ -630,10 +635,15 @@ Tpm2NvRead (
//
// Return the response
//
OutData->size = SwapBytes16 (RecvBuffer.Data.size);
+ if (OutData->size > MAX_DIGEST_BUFFER) {
+ Status = EFI_DEVICE_ERROR;
+ goto Done;
+ }
+
CopyMem (OutData->buffer, &RecvBuffer.Data.buffer, OutData->size);
Done:
//
// Clear AuthSession Content
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
index e070ff2f74..e9f693b65d 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 Object related command.
-Copyright (c) 2017, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
@@ -107,15 +107,26 @@ Tpm2ReadPublic (
//
// Basic check
//
OutPublicSize = SwapBytes16 (RecvBuffer.OutPublic.size);
+ if (OutPublicSize > sizeof(TPMT_PUBLIC)) {
+ return EFI_DEVICE_ERROR;
+ }
+
NameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) +
sizeof(UINT16) + OutPublicSize)));
+ if (NameSize > sizeof(TPMU_NAME)) {
+ return EFI_DEVICE_ERROR;
+ }
+
QualifiedNameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) +
sizeof(UINT16) + OutPublicSize +
sizeof(UINT16) + NameSize)));
+ if (QualifiedNameSize > sizeof(TPMU_NAME)) {
+ return EFI_DEVICE_ERROR;
+ }
if (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + OutPublicSize + sizeof(UINT16) + NameSize + sizeof(UINT16) + QualifiedNameSize) {
DEBUG ((DEBUG_ERROR, "Tpm2ReadPublic - RecvBufferSize %x Error - OutPublicSize %x, NameSize %x, QualifiedNameSize %x\n", RecvBufferSize, OutPublicSize, NameSize, QualifiedNameSize));
return EFI_DEVICE_ERROR;
}
@@ -130,10 +141,13 @@ Tpm2ReadPublic (
OutPublic->publicArea.nameAlg = SwapBytes16 (OutPublic->publicArea.nameAlg);
WriteUnaligned32 ((UINT32 *)&OutPublic->publicArea.objectAttributes, SwapBytes32 (ReadUnaligned32 ((UINT32 *)&OutPublic->publicArea.objectAttributes)));
Buffer = (UINT8 *)&RecvBuffer.OutPublic.publicArea.authPolicy;
OutPublic->publicArea.authPolicy.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if (OutPublic->publicArea.authPolicy.size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.authPolicy.buffer, Buffer, OutPublic->publicArea.authPolicy.size);
Buffer += OutPublic->publicArea.authPolicy.size;
// TPMU_PUBLIC_PARMS
switch (OutPublic->publicArea.type) {
@@ -305,32 +319,47 @@ Tpm2ReadPublic (
// TPMU_PUBLIC_ID
switch (OutPublic->publicArea.type) {
case TPM_ALG_KEYEDHASH:
OutPublic->publicArea.unique.keyedHash.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if(OutPublic->publicArea.unique.keyedHash.size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.unique.keyedHash.buffer, Buffer, OutPublic->publicArea.unique.keyedHash.size);
Buffer += OutPublic->publicArea.unique.keyedHash.size;
break;
case TPM_ALG_SYMCIPHER:
OutPublic->publicArea.unique.sym.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if(OutPublic->publicArea.unique.sym.size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.unique.sym.buffer, Buffer, OutPublic->publicArea.unique.sym.size);
Buffer += OutPublic->publicArea.unique.sym.size;
break;
case TPM_ALG_RSA:
OutPublic->publicArea.unique.rsa.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if(OutPublic->publicArea.unique.rsa.size > MAX_RSA_KEY_BYTES) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.unique.rsa.buffer, Buffer, OutPublic->publicArea.unique.rsa.size);
Buffer += OutPublic->publicArea.unique.rsa.size;
break;
case TPM_ALG_ECC:
OutPublic->publicArea.unique.ecc.x.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if (OutPublic->publicArea.unique.ecc.x.size > MAX_ECC_KEY_BYTES) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.unique.ecc.x.buffer, Buffer, OutPublic->publicArea.unique.ecc.x.size);
Buffer += OutPublic->publicArea.unique.ecc.x.size;
OutPublic->publicArea.unique.ecc.y.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if (OutPublic->publicArea.unique.ecc.y.size > MAX_ECC_KEY_BYTES) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.unique.ecc.y.buffer, Buffer, OutPublic->publicArea.unique.ecc.y.size);
Buffer += OutPublic->publicArea.unique.ecc.y.size;
break;
default:
return EFI_UNSUPPORTED;
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
index 305b6f2078..68a445bafc 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 Sequences related command.
-Copyright (c) 2013, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
@@ -373,10 +373,14 @@ Tpm2EventSequenceComplete (
BufferPtr = (UINT8 *)&Res.Results;
// count
Results->count = SwapBytes32(ReadUnaligned32 ((UINT32 *)BufferPtr));
+ if (Results->count > HASH_COUNT) {
+ return EFI_DEVICE_ERROR;
+ }
+
BufferPtr += sizeof(UINT32);
for (Index = 0; Index < Results->count; Index++) {
Results->digests[Index].hashAlg = SwapBytes16(ReadUnaligned16 ((UINT16 *)BufferPtr));
BufferPtr += sizeof(UINT16);
@@ -494,10 +498,14 @@ Tpm2SequenceComplete (
BufferPtr = (UINT8 *)&Res.Digest;
// digestSize
Result->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)BufferPtr));
+ if (Result->size > sizeof(TPMU_HA)){
+ return EFI_DEVICE_ERROR;
+ }
+
BufferPtr += sizeof(UINT16);
CopyMem(
Result->buffer,
BufferPtr,
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
index f03b6689ac..0c9b310e54 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 Session related command.
-Copyright (c) 2014, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
@@ -161,9 +161,13 @@ Tpm2StartAuthSession (
//
// Return the response
//
*SessionHandle = SwapBytes32 (RecvBuffer.SessionHandle);
NonceTPM->size = SwapBytes16 (RecvBuffer.NonceTPM.size);
+ if (NonceTPM->size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
+
CopyMem (NonceTPM->buffer, &RecvBuffer.NonceTPM.buffer, NonceTPM->size);
return EFI_SUCCESS;
}
--
2.16.2.windows.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow
2018-03-20 8:35 [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow Zhang, Chao B
@ 2018-03-21 2:57 ` Long, Qin
2018-03-21 3:03 ` Zhang, Chao B
0 siblings, 1 reply; 5+ messages in thread
From: Long, Qin @ 2018-03-21 2:57 UTC (permalink / raw)
To: Zhang, Chao B, edk2-devel@lists.01.org; +Cc: Yao, Jiewen
Hi, Chao,
One minor suggestion to add the comment to explain the following value "8": the number of digests in list is not greater than 8 per TPML_DIGEST definition.
+ if (PcrValues->count > 8) {
+ return EFI_DEVICE_ERROR;
+ }
Other looks good to me.
Reviewed-by: Long Qin <qin.long@intel.com>
Best Regards & Thanks,
LONG, Qin
-----Original Message-----
From: Zhang, Chao B
Sent: Tuesday, March 20, 2018 4:36 PM
To: edk2-devel@lists.01.org
Cc: Long, Qin <qin.long@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>
Subject: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow
TPM2.0 command lib always assumes TPM device and transmission channel can respond correctly. But it is not true when communication channel is exploited and wrong data is spoofed. Add more logic to prohibit memory overflow attack.
Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Zhang, Chao B <chao.b.zhang@intel.com>
---
.../Library/Tpm2CommandLib/Tpm2Capability.c | 21 ++++++++++++++-
.../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 16 ++++++++++-
SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 19 ++++++++++--- SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 14 ++++++++--
SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c | 31 +++++++++++++++++++++-
SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c | 10 ++++++-
SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c | 6 ++++-
7 files changed, 107 insertions(+), 10 deletions(-)
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
index 79e80fb7a9..42afe107a6 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 Capability related command.
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php
@@ -110,10 +110,18 @@ Tpm2GetCapability (
if (RecvBufferSize <= sizeof (TPM2_RESPONSE_HEADER) + sizeof (UINT8)) {
return EFI_DEVICE_ERROR;
}
+ //
+ // Fail if command failed
+ //
+ if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {
+ DEBUG ((EFI_D_ERROR, "Tpm2GetCapability: Response Code error! 0x%08x\r\n", SwapBytes32(RecvBuffer.Header.responseCode)));
+ return EFI_DEVICE_ERROR;
+ }
+
//
// Return the response
//
*MoreData = RecvBuffer.MoreData;
//
@@ -327,10 +335,14 @@ Tpm2GetCapabilitySupportedAlg (
}
CopyMem (AlgList, &TpmCap.data.algorithms, sizeof (TPML_ALG_PROPERTY));
AlgList->count = SwapBytes32 (AlgList->count);
+ if (AlgList->count > MAX_CAP_ALGS) {
+ return EFI_DEVICE_ERROR;
+ }
+
for (Index = 0; Index < AlgList->count; Index++) {
AlgList->algProperties[Index].alg = SwapBytes16 (AlgList->algProperties[Index].alg);
WriteUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].algProperties, SwapBytes32 (ReadUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].algProperties)));
}
@@ -474,13 +486,20 @@ Tpm2GetCapabilityPcrs (
if (EFI_ERROR (Status)) {
return Status;
}
Pcrs->count = SwapBytes32 (TpmCap.data.assignedPCR.count);
+ if (Pcrs->count > HASH_COUNT) {
+ return EFI_DEVICE_ERROR;
+ }
+
for (Index = 0; Index < Pcrs->count; Index++) {
Pcrs->pcrSelections[Index].hash = SwapBytes16 (TpmCap.data.assignedPCR.pcrSelections[Index].hash);
Pcrs->pcrSelections[Index].sizeofSelect = TpmCap.data.assignedPCR.pcrSelections[Index].sizeofSelect;
+ if (Pcrs->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (Pcrs->pcrSelections[Index].pcrSelect, TpmCap.data.assignedPCR.pcrSelections[Index].pcrSelect, Pcrs->pcrSelections[Index].sizeofSelect);
}
return EFI_SUCCESS;
}
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
index 6f6b3693f8..3e42875b83 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 EnhancedAuthorization related command.
-Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php
@@ -178,19 +178,29 @@ Tpm2PolicySecret (
//
// Return the response
//
Buffer = (UINT8 *)&RecvBuffer.Timeout;
Timeout->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));
+ if (Timeout->size > sizeof(UINT64)) {
+ Status = EFI_DEVICE_ERROR;
+ goto Done;
+ }
+
Buffer += sizeof(UINT16);
CopyMem (Timeout->buffer, Buffer, Timeout->size);
PolicyTicket->tag = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
PolicyTicket->hierarchy = SwapBytes32(ReadUnaligned32 ((UINT32 *)Buffer));
Buffer += sizeof(UINT32);
PolicyTicket->digest.size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if (PolicyTicket->digest.size > sizeof(TPMU_HA)) {
+ Status = EFI_DEVICE_ERROR;
+ goto Done;
+ }
+
CopyMem (PolicyTicket->digest.buffer, Buffer, PolicyTicket->digest.size);
Done:
//
// Clear AuthSession Content
@@ -377,9 +387,13 @@ Tpm2PolicyGetDigest (
//
// Return the response
//
PolicyHash->size = SwapBytes16 (RecvBuffer.PolicyHash.size);
+ if (PolicyHash->size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
+
CopyMem (PolicyHash->buffer, &RecvBuffer.PolicyHash.buffer, PolicyHash->size);
return EFI_SUCCESS;
}
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
index 8eacfe6c13..9c0b70dd93 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 Integrity related command.
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php
@@ -277,10 +277,14 @@ Tpm2PcrEvent (
// Unmarshal the response
//
Buffer = (UINT8 *)&Res.Digests;
Digests->count = SwapBytes32 (ReadUnaligned32 ((UINT32 *)Buffer));
+ if (Digests->count > HASH_COUNT) {
+ return EFI_DEVICE_ERROR;
+ }
+
Buffer += sizeof(UINT32);
for (Index = 0; Index < Digests->count; Index++) {
Digests->digests[Index].hashAlg = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
DigestSize = GetHashSizeFromAlgo (Digests->digests[Index].hashAlg);
@@ -381,28 +385,37 @@ Tpm2PcrRead (
if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count)) {
DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n", RecvBufferSize));
return EFI_DEVICE_ERROR;
}
PcrSelectionOut->count = SwapBytes32(RecvBuffer.PcrSelectionOut.count);
- if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) {
- DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n", RecvBufferSize));
+ if (PcrSelectionOut->count > HASH_COUNT || RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) {
+ DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - Digests->count -%x or
+ RecvBufferSize Error - %x\n", PcrSelectionOut->count,
+ RecvBufferSize));
return EFI_DEVICE_ERROR;
}
for (Index = 0; Index < PcrSelectionOut->count; Index++) {
PcrSelectionOut->pcrSelections[Index].hash = SwapBytes16(RecvBuffer.PcrSelectionOut.pcrSelections[Index].hash);
PcrSelectionOut->pcrSelections[Index].sizeofSelect = RecvBuffer.PcrSelectionOut.pcrSelections[Index].sizeofSelect;
+ if (PcrSelectionOut->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (&PcrSelectionOut->pcrSelections[Index].pcrSelect, &RecvBuffer.PcrSelectionOut.pcrSelections[Index].pcrSelect, PcrSelectionOut->pcrSelections[Index].sizeofSelect);
}
//
// PcrValues
//
PcrValuesOut = (TPML_DIGEST *)((UINT8 *)&RecvBuffer + sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count);
PcrValues->count = SwapBytes32(PcrValuesOut->count);
+ if (PcrValues->count > 8) {
+ return EFI_DEVICE_ERROR;
+ }
Digests = PcrValuesOut->digests;
for (Index = 0; Index < PcrValues->count; Index++) {
PcrValues->digests[Index].size = SwapBytes16(Digests->size);
+ if (PcrValues->digests[Index].size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (&PcrValues->digests[Index].buffer, &Digests->buffer, PcrValues->digests[Index].size);
Digests = (TPM2B_DIGEST *)((UINT8 *)Digests + sizeof(Digests->size) + PcrValues->digests[Index].size);
}
return EFI_SUCCESS;
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
index 9508022132..2b87260764 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 NVStorage related command.
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php
@@ -232,13 +232,18 @@ Tpm2NvReadPublic (
//
// Basic check
//
NvPublicSize = SwapBytes16 (RecvBuffer.NvPublic.size);
+ if (NvPublicSize > sizeof(TPMS_NV_PUBLIC)) {
+ return EFI_DEVICE_ERROR;
+ }
+
NvNameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + NvPublicSize)));
- if (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + NvPublicSize + sizeof(UINT16) + NvNameSize) {
+ if (NvNameSize > sizeof(TPMU_NAME) ||
+ (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16)
+ + NvPublicSize + sizeof(UINT16) + NvNameSize)) {
DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error - NvPublicSize %x, NvNameSize %x\n", RecvBufferSize, NvNameSize));
return EFI_NOT_FOUND;
}
//
@@ -630,10 +635,15 @@ Tpm2NvRead (
//
// Return the response
//
OutData->size = SwapBytes16 (RecvBuffer.Data.size);
+ if (OutData->size > MAX_DIGEST_BUFFER) {
+ Status = EFI_DEVICE_ERROR;
+ goto Done;
+ }
+
CopyMem (OutData->buffer, &RecvBuffer.Data.buffer, OutData->size);
Done:
//
// Clear AuthSession Content
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
index e070ff2f74..e9f693b65d 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 Object related command.
-Copyright (c) 2017, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php
@@ -107,15 +107,26 @@ Tpm2ReadPublic (
//
// Basic check
//
OutPublicSize = SwapBytes16 (RecvBuffer.OutPublic.size);
+ if (OutPublicSize > sizeof(TPMT_PUBLIC)) {
+ return EFI_DEVICE_ERROR;
+ }
+
NameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) +
sizeof(UINT16) + OutPublicSize)));
+ if (NameSize > sizeof(TPMU_NAME)) {
+ return EFI_DEVICE_ERROR;
+ }
+
QualifiedNameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) +
sizeof(UINT16) + OutPublicSize +
sizeof(UINT16) + NameSize)));
+ if (QualifiedNameSize > sizeof(TPMU_NAME)) {
+ return EFI_DEVICE_ERROR;
+ }
if (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + OutPublicSize + sizeof(UINT16) + NameSize + sizeof(UINT16) + QualifiedNameSize) {
DEBUG ((DEBUG_ERROR, "Tpm2ReadPublic - RecvBufferSize %x Error - OutPublicSize %x, NameSize %x, QualifiedNameSize %x\n", RecvBufferSize, OutPublicSize, NameSize, QualifiedNameSize));
return EFI_DEVICE_ERROR;
}
@@ -130,10 +141,13 @@ Tpm2ReadPublic (
OutPublic->publicArea.nameAlg = SwapBytes16 (OutPublic->publicArea.nameAlg);
WriteUnaligned32 ((UINT32 *)&OutPublic->publicArea.objectAttributes, SwapBytes32 (ReadUnaligned32 ((UINT32 *)&OutPublic->publicArea.objectAttributes)));
Buffer = (UINT8 *)&RecvBuffer.OutPublic.publicArea.authPolicy;
OutPublic->publicArea.authPolicy.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if (OutPublic->publicArea.authPolicy.size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.authPolicy.buffer, Buffer, OutPublic->publicArea.authPolicy.size);
Buffer += OutPublic->publicArea.authPolicy.size;
// TPMU_PUBLIC_PARMS
switch (OutPublic->publicArea.type) { @@ -305,32 +319,47 @@ Tpm2ReadPublic (
// TPMU_PUBLIC_ID
switch (OutPublic->publicArea.type) {
case TPM_ALG_KEYEDHASH:
OutPublic->publicArea.unique.keyedHash.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if(OutPublic->publicArea.unique.keyedHash.size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.unique.keyedHash.buffer, Buffer, OutPublic->publicArea.unique.keyedHash.size);
Buffer += OutPublic->publicArea.unique.keyedHash.size;
break;
case TPM_ALG_SYMCIPHER:
OutPublic->publicArea.unique.sym.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if(OutPublic->publicArea.unique.sym.size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.unique.sym.buffer, Buffer, OutPublic->publicArea.unique.sym.size);
Buffer += OutPublic->publicArea.unique.sym.size;
break;
case TPM_ALG_RSA:
OutPublic->publicArea.unique.rsa.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if(OutPublic->publicArea.unique.rsa.size > MAX_RSA_KEY_BYTES) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.unique.rsa.buffer, Buffer, OutPublic->publicArea.unique.rsa.size);
Buffer += OutPublic->publicArea.unique.rsa.size;
break;
case TPM_ALG_ECC:
OutPublic->publicArea.unique.ecc.x.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if (OutPublic->publicArea.unique.ecc.x.size > MAX_ECC_KEY_BYTES) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.unique.ecc.x.buffer, Buffer, OutPublic->publicArea.unique.ecc.x.size);
Buffer += OutPublic->publicArea.unique.ecc.x.size;
OutPublic->publicArea.unique.ecc.y.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if (OutPublic->publicArea.unique.ecc.y.size > MAX_ECC_KEY_BYTES) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.unique.ecc.y.buffer, Buffer, OutPublic->publicArea.unique.ecc.y.size);
Buffer += OutPublic->publicArea.unique.ecc.y.size;
break;
default:
return EFI_UNSUPPORTED;
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
index 305b6f2078..68a445bafc 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 Sequences related command.
-Copyright (c) 2013, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php
@@ -373,10 +373,14 @@ Tpm2EventSequenceComplete (
BufferPtr = (UINT8 *)&Res.Results;
// count
Results->count = SwapBytes32(ReadUnaligned32 ((UINT32 *)BufferPtr));
+ if (Results->count > HASH_COUNT) {
+ return EFI_DEVICE_ERROR;
+ }
+
BufferPtr += sizeof(UINT32);
for (Index = 0; Index < Results->count; Index++) {
Results->digests[Index].hashAlg = SwapBytes16(ReadUnaligned16 ((UINT16 *)BufferPtr));
BufferPtr += sizeof(UINT16);
@@ -494,10 +498,14 @@ Tpm2SequenceComplete (
BufferPtr = (UINT8 *)&Res.Digest;
// digestSize
Result->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)BufferPtr));
+ if (Result->size > sizeof(TPMU_HA)){
+ return EFI_DEVICE_ERROR;
+ }
+
BufferPtr += sizeof(UINT16);
CopyMem(
Result->buffer,
BufferPtr,
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
index f03b6689ac..0c9b310e54 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 Session related command.
-Copyright (c) 2014, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php
@@ -161,9 +161,13 @@ Tpm2StartAuthSession (
//
// Return the response
//
*SessionHandle = SwapBytes32 (RecvBuffer.SessionHandle);
NonceTPM->size = SwapBytes16 (RecvBuffer.NonceTPM.size);
+ if (NonceTPM->size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
+
CopyMem (NonceTPM->buffer, &RecvBuffer.NonceTPM.buffer, NonceTPM->size);
return EFI_SUCCESS;
}
--
2.16.2.windows.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow
2018-03-21 2:57 ` Long, Qin
@ 2018-03-21 3:03 ` Zhang, Chao B
2018-03-21 6:39 ` Yao, Jiewen
0 siblings, 1 reply; 5+ messages in thread
From: Zhang, Chao B @ 2018-03-21 3:03 UTC (permalink / raw)
To: Long, Qin, edk2-devel@lists.01.org; +Cc: Yao, Jiewen
Thanks Qin, I will add more comments to explain the magic code
-----Original Message-----
From: Long, Qin
Sent: Wednesday, March 21, 2018 10:58 AM
To: Zhang, Chao B <chao.b.zhang@intel.com>; edk2-devel@lists.01.org
Cc: Yao, Jiewen <jiewen.yao@intel.com>
Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow
Hi, Chao,
One minor suggestion to add the comment to explain the following value "8": the number of digests in list is not greater than 8 per TPML_DIGEST definition.
+ if (PcrValues->count > 8) {
+ return EFI_DEVICE_ERROR;
+ }
Other looks good to me.
Reviewed-by: Long Qin <qin.long@intel.com>
Best Regards & Thanks,
LONG, Qin
-----Original Message-----
From: Zhang, Chao B
Sent: Tuesday, March 20, 2018 4:36 PM
To: edk2-devel@lists.01.org
Cc: Long, Qin <qin.long@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>
Subject: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow
TPM2.0 command lib always assumes TPM device and transmission channel can respond correctly. But it is not true when communication channel is exploited and wrong data is spoofed. Add more logic to prohibit memory overflow attack.
Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Zhang, Chao B <chao.b.zhang@intel.com>
---
.../Library/Tpm2CommandLib/Tpm2Capability.c | 21 ++++++++++++++-
.../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 16 ++++++++++-
SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 19 ++++++++++--- SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 14 ++++++++--
SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c | 31 +++++++++++++++++++++-
SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c | 10 ++++++-
SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c | 6 ++++-
7 files changed, 107 insertions(+), 10 deletions(-)
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
index 79e80fb7a9..42afe107a6 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 Capability related command.
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php
@@ -110,10 +110,18 @@ Tpm2GetCapability (
if (RecvBufferSize <= sizeof (TPM2_RESPONSE_HEADER) + sizeof (UINT8)) {
return EFI_DEVICE_ERROR;
}
+ //
+ // Fail if command failed
+ //
+ if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {
+ DEBUG ((EFI_D_ERROR, "Tpm2GetCapability: Response Code error! 0x%08x\r\n", SwapBytes32(RecvBuffer.Header.responseCode)));
+ return EFI_DEVICE_ERROR;
+ }
+
//
// Return the response
//
*MoreData = RecvBuffer.MoreData;
//
@@ -327,10 +335,14 @@ Tpm2GetCapabilitySupportedAlg (
}
CopyMem (AlgList, &TpmCap.data.algorithms, sizeof (TPML_ALG_PROPERTY));
AlgList->count = SwapBytes32 (AlgList->count);
+ if (AlgList->count > MAX_CAP_ALGS) {
+ return EFI_DEVICE_ERROR;
+ }
+
for (Index = 0; Index < AlgList->count; Index++) {
AlgList->algProperties[Index].alg = SwapBytes16 (AlgList->algProperties[Index].alg);
WriteUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].algProperties, SwapBytes32 (ReadUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].algProperties)));
}
@@ -474,13 +486,20 @@ Tpm2GetCapabilityPcrs (
if (EFI_ERROR (Status)) {
return Status;
}
Pcrs->count = SwapBytes32 (TpmCap.data.assignedPCR.count);
+ if (Pcrs->count > HASH_COUNT) {
+ return EFI_DEVICE_ERROR;
+ }
+
for (Index = 0; Index < Pcrs->count; Index++) {
Pcrs->pcrSelections[Index].hash = SwapBytes16 (TpmCap.data.assignedPCR.pcrSelections[Index].hash);
Pcrs->pcrSelections[Index].sizeofSelect = TpmCap.data.assignedPCR.pcrSelections[Index].sizeofSelect;
+ if (Pcrs->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (Pcrs->pcrSelections[Index].pcrSelect, TpmCap.data.assignedPCR.pcrSelections[Index].pcrSelect, Pcrs->pcrSelections[Index].sizeofSelect);
}
return EFI_SUCCESS;
}
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
index 6f6b3693f8..3e42875b83 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 EnhancedAuthorization related command.
-Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php
@@ -178,19 +178,29 @@ Tpm2PolicySecret (
//
// Return the response
//
Buffer = (UINT8 *)&RecvBuffer.Timeout;
Timeout->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));
+ if (Timeout->size > sizeof(UINT64)) {
+ Status = EFI_DEVICE_ERROR;
+ goto Done;
+ }
+
Buffer += sizeof(UINT16);
CopyMem (Timeout->buffer, Buffer, Timeout->size);
PolicyTicket->tag = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
PolicyTicket->hierarchy = SwapBytes32(ReadUnaligned32 ((UINT32 *)Buffer));
Buffer += sizeof(UINT32);
PolicyTicket->digest.size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if (PolicyTicket->digest.size > sizeof(TPMU_HA)) {
+ Status = EFI_DEVICE_ERROR;
+ goto Done;
+ }
+
CopyMem (PolicyTicket->digest.buffer, Buffer, PolicyTicket->digest.size);
Done:
//
// Clear AuthSession Content
@@ -377,9 +387,13 @@ Tpm2PolicyGetDigest (
//
// Return the response
//
PolicyHash->size = SwapBytes16 (RecvBuffer.PolicyHash.size);
+ if (PolicyHash->size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
+
CopyMem (PolicyHash->buffer, &RecvBuffer.PolicyHash.buffer, PolicyHash->size);
return EFI_SUCCESS;
}
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
index 8eacfe6c13..9c0b70dd93 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 Integrity related command.
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php
@@ -277,10 +277,14 @@ Tpm2PcrEvent (
// Unmarshal the response
//
Buffer = (UINT8 *)&Res.Digests;
Digests->count = SwapBytes32 (ReadUnaligned32 ((UINT32 *)Buffer));
+ if (Digests->count > HASH_COUNT) {
+ return EFI_DEVICE_ERROR;
+ }
+
Buffer += sizeof(UINT32);
for (Index = 0; Index < Digests->count; Index++) {
Digests->digests[Index].hashAlg = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
DigestSize = GetHashSizeFromAlgo (Digests->digests[Index].hashAlg);
@@ -381,28 +385,37 @@ Tpm2PcrRead (
if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count)) {
DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n", RecvBufferSize));
return EFI_DEVICE_ERROR;
}
PcrSelectionOut->count = SwapBytes32(RecvBuffer.PcrSelectionOut.count);
- if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) {
- DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n", RecvBufferSize));
+ if (PcrSelectionOut->count > HASH_COUNT || RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) {
+ DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - Digests->count -%x or
+ RecvBufferSize Error - %x\n", PcrSelectionOut->count,
+ RecvBufferSize));
return EFI_DEVICE_ERROR;
}
for (Index = 0; Index < PcrSelectionOut->count; Index++) {
PcrSelectionOut->pcrSelections[Index].hash = SwapBytes16(RecvBuffer.PcrSelectionOut.pcrSelections[Index].hash);
PcrSelectionOut->pcrSelections[Index].sizeofSelect = RecvBuffer.PcrSelectionOut.pcrSelections[Index].sizeofSelect;
+ if (PcrSelectionOut->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (&PcrSelectionOut->pcrSelections[Index].pcrSelect, &RecvBuffer.PcrSelectionOut.pcrSelections[Index].pcrSelect, PcrSelectionOut->pcrSelections[Index].sizeofSelect);
}
//
// PcrValues
//
PcrValuesOut = (TPML_DIGEST *)((UINT8 *)&RecvBuffer + sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count);
PcrValues->count = SwapBytes32(PcrValuesOut->count);
+ if (PcrValues->count > 8) {
+ return EFI_DEVICE_ERROR;
+ }
Digests = PcrValuesOut->digests;
for (Index = 0; Index < PcrValues->count; Index++) {
PcrValues->digests[Index].size = SwapBytes16(Digests->size);
+ if (PcrValues->digests[Index].size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (&PcrValues->digests[Index].buffer, &Digests->buffer, PcrValues->digests[Index].size);
Digests = (TPM2B_DIGEST *)((UINT8 *)Digests + sizeof(Digests->size) + PcrValues->digests[Index].size);
}
return EFI_SUCCESS;
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
index 9508022132..2b87260764 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 NVStorage related command.
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php
@@ -232,13 +232,18 @@ Tpm2NvReadPublic (
//
// Basic check
//
NvPublicSize = SwapBytes16 (RecvBuffer.NvPublic.size);
+ if (NvPublicSize > sizeof(TPMS_NV_PUBLIC)) {
+ return EFI_DEVICE_ERROR;
+ }
+
NvNameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + NvPublicSize)));
- if (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + NvPublicSize + sizeof(UINT16) + NvNameSize) {
+ if (NvNameSize > sizeof(TPMU_NAME) ||
+ (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16)
+ + NvPublicSize + sizeof(UINT16) + NvNameSize)) {
DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error - NvPublicSize %x, NvNameSize %x\n", RecvBufferSize, NvNameSize));
return EFI_NOT_FOUND;
}
//
@@ -630,10 +635,15 @@ Tpm2NvRead (
//
// Return the response
//
OutData->size = SwapBytes16 (RecvBuffer.Data.size);
+ if (OutData->size > MAX_DIGEST_BUFFER) {
+ Status = EFI_DEVICE_ERROR;
+ goto Done;
+ }
+
CopyMem (OutData->buffer, &RecvBuffer.Data.buffer, OutData->size);
Done:
//
// Clear AuthSession Content
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
index e070ff2f74..e9f693b65d 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 Object related command.
-Copyright (c) 2017, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php
@@ -107,15 +107,26 @@ Tpm2ReadPublic (
//
// Basic check
//
OutPublicSize = SwapBytes16 (RecvBuffer.OutPublic.size);
+ if (OutPublicSize > sizeof(TPMT_PUBLIC)) {
+ return EFI_DEVICE_ERROR;
+ }
+
NameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) +
sizeof(UINT16) + OutPublicSize)));
+ if (NameSize > sizeof(TPMU_NAME)) {
+ return EFI_DEVICE_ERROR;
+ }
+
QualifiedNameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) +
sizeof(UINT16) + OutPublicSize +
sizeof(UINT16) + NameSize)));
+ if (QualifiedNameSize > sizeof(TPMU_NAME)) {
+ return EFI_DEVICE_ERROR;
+ }
if (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + OutPublicSize + sizeof(UINT16) + NameSize + sizeof(UINT16) + QualifiedNameSize) {
DEBUG ((DEBUG_ERROR, "Tpm2ReadPublic - RecvBufferSize %x Error - OutPublicSize %x, NameSize %x, QualifiedNameSize %x\n", RecvBufferSize, OutPublicSize, NameSize, QualifiedNameSize));
return EFI_DEVICE_ERROR;
}
@@ -130,10 +141,13 @@ Tpm2ReadPublic (
OutPublic->publicArea.nameAlg = SwapBytes16 (OutPublic->publicArea.nameAlg);
WriteUnaligned32 ((UINT32 *)&OutPublic->publicArea.objectAttributes, SwapBytes32 (ReadUnaligned32 ((UINT32 *)&OutPublic->publicArea.objectAttributes)));
Buffer = (UINT8 *)&RecvBuffer.OutPublic.publicArea.authPolicy;
OutPublic->publicArea.authPolicy.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if (OutPublic->publicArea.authPolicy.size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.authPolicy.buffer, Buffer, OutPublic->publicArea.authPolicy.size);
Buffer += OutPublic->publicArea.authPolicy.size;
// TPMU_PUBLIC_PARMS
switch (OutPublic->publicArea.type) { @@ -305,32 +319,47 @@ Tpm2ReadPublic (
// TPMU_PUBLIC_ID
switch (OutPublic->publicArea.type) {
case TPM_ALG_KEYEDHASH:
OutPublic->publicArea.unique.keyedHash.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if(OutPublic->publicArea.unique.keyedHash.size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.unique.keyedHash.buffer, Buffer, OutPublic->publicArea.unique.keyedHash.size);
Buffer += OutPublic->publicArea.unique.keyedHash.size;
break;
case TPM_ALG_SYMCIPHER:
OutPublic->publicArea.unique.sym.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if(OutPublic->publicArea.unique.sym.size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.unique.sym.buffer, Buffer, OutPublic->publicArea.unique.sym.size);
Buffer += OutPublic->publicArea.unique.sym.size;
break;
case TPM_ALG_RSA:
OutPublic->publicArea.unique.rsa.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if(OutPublic->publicArea.unique.rsa.size > MAX_RSA_KEY_BYTES) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.unique.rsa.buffer, Buffer, OutPublic->publicArea.unique.rsa.size);
Buffer += OutPublic->publicArea.unique.rsa.size;
break;
case TPM_ALG_ECC:
OutPublic->publicArea.unique.ecc.x.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if (OutPublic->publicArea.unique.ecc.x.size > MAX_ECC_KEY_BYTES) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.unique.ecc.x.buffer, Buffer, OutPublic->publicArea.unique.ecc.x.size);
Buffer += OutPublic->publicArea.unique.ecc.x.size;
OutPublic->publicArea.unique.ecc.y.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
+ if (OutPublic->publicArea.unique.ecc.y.size > MAX_ECC_KEY_BYTES) {
+ return EFI_DEVICE_ERROR;
+ }
CopyMem (OutPublic->publicArea.unique.ecc.y.buffer, Buffer, OutPublic->publicArea.unique.ecc.y.size);
Buffer += OutPublic->publicArea.unique.ecc.y.size;
break;
default:
return EFI_UNSUPPORTED;
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
index 305b6f2078..68a445bafc 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 Sequences related command.
-Copyright (c) 2013, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php
@@ -373,10 +373,14 @@ Tpm2EventSequenceComplete (
BufferPtr = (UINT8 *)&Res.Results;
// count
Results->count = SwapBytes32(ReadUnaligned32 ((UINT32 *)BufferPtr));
+ if (Results->count > HASH_COUNT) {
+ return EFI_DEVICE_ERROR;
+ }
+
BufferPtr += sizeof(UINT32);
for (Index = 0; Index < Results->count; Index++) {
Results->digests[Index].hashAlg = SwapBytes16(ReadUnaligned16 ((UINT16 *)BufferPtr));
BufferPtr += sizeof(UINT16);
@@ -494,10 +498,14 @@ Tpm2SequenceComplete (
BufferPtr = (UINT8 *)&Res.Digest;
// digestSize
Result->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)BufferPtr));
+ if (Result->size > sizeof(TPMU_HA)){
+ return EFI_DEVICE_ERROR;
+ }
+
BufferPtr += sizeof(UINT16);
CopyMem(
Result->buffer,
BufferPtr,
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
index f03b6689ac..0c9b310e54 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
@@ -1,9 +1,9 @@
/** @file
Implement TPM2 Session related command.
-Copyright (c) 2014, Intel Corporation. All rights reserved. <BR>
+Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php
@@ -161,9 +161,13 @@ Tpm2StartAuthSession (
//
// Return the response
//
*SessionHandle = SwapBytes32 (RecvBuffer.SessionHandle);
NonceTPM->size = SwapBytes16 (RecvBuffer.NonceTPM.size);
+ if (NonceTPM->size > sizeof(TPMU_HA)) {
+ return EFI_DEVICE_ERROR;
+ }
+
CopyMem (NonceTPM->buffer, &RecvBuffer.NonceTPM.buffer, NonceTPM->size);
return EFI_SUCCESS;
}
--
2.16.2.windows.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow
2018-03-21 3:03 ` Zhang, Chao B
@ 2018-03-21 6:39 ` Yao, Jiewen
2018-03-21 6:49 ` Zhang, Chao B
0 siblings, 1 reply; 5+ messages in thread
From: Yao, Jiewen @ 2018-03-21 6:39 UTC (permalink / raw)
To: Zhang, Chao B, Long, Qin, edk2-devel@lists.01.org
Some thought:
1) Would you please add debug message on every error check you added? Just like the original code does.
2) For below, can we separate the check, and add error message for each failure?
Tpm2Integrity.c:
if (PcrSelectionOut->count > HASH_COUNT || RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) {
DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - Digests->count -%x or RecvBufferSize Error - %x\n", PcrSelectionOut->count, RecvBufferSize));
return EFI_DEVICE_ERROR;
}
3) For below, can we separate the check, and add error message for each failure?
Tpm2NvStorage.c
if (NvNameSize > sizeof(TPMU_NAME) ||
(RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + NvPublicSize + sizeof(UINT16) + NvNameSize)) {
DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error - NvPublicSize %x, NvNameSize %x\n", RecvBufferSize, NvNameSize));
return EFI_NOT_FOUND;
}
4) Do you think if we need add check for nonce.size below as well?
Tpm2Help.c
// nonce
AuthSessionOut->nonce.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
CopyMem (AuthSessionOut->nonce.buffer, Buffer, AuthSessionOut->nonce.size);
Buffer += AuthSessionOut->nonce.size;
Thank you
Yao Jiewen
> -----Original Message-----
> From: Zhang, Chao B
> Sent: Wednesday, March 21, 2018 11:03 AM
> To: Long, Qin <qin.long@intel.com>; edk2-devel@lists.01.org
> Cc: Yao, Jiewen <jiewen.yao@intel.com>
> Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response
> memory overflow
>
> Thanks Qin, I will add more comments to explain the magic code
>
> -----Original Message-----
> From: Long, Qin
> Sent: Wednesday, March 21, 2018 10:58 AM
> To: Zhang, Chao B <chao.b.zhang@intel.com>; edk2-devel@lists.01.org
> Cc: Yao, Jiewen <jiewen.yao@intel.com>
> Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response
> memory overflow
>
> Hi, Chao,
>
> One minor suggestion to add the comment to explain the following value "8": the
> number of digests in list is not greater than 8 per TPML_DIGEST definition.
> + if (PcrValues->count > 8) {
> + return EFI_DEVICE_ERROR;
> + }
>
> Other looks good to me.
>
> Reviewed-by: Long Qin <qin.long@intel.com>
>
>
> Best Regards & Thanks,
> LONG, Qin
>
> -----Original Message-----
> From: Zhang, Chao B
> Sent: Tuesday, March 20, 2018 4:36 PM
> To: edk2-devel@lists.01.org
> Cc: Long, Qin <qin.long@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> Zhang, Chao B <chao.b.zhang@intel.com>
> Subject: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory
> overflow
>
> TPM2.0 command lib always assumes TPM device and transmission channel can
> respond correctly. But it is not true when communication channel is exploited
> and wrong data is spoofed. Add more logic to prohibit memory overflow attack.
>
> Cc: Long Qin <qin.long@intel.com>
> Cc: Yao Jiewen <jiewen.yao@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
> Signed-off-by: Zhang, Chao B <chao.b.zhang@intel.com>
> ---
> .../Library/Tpm2CommandLib/Tpm2Capability.c | 21
> ++++++++++++++-
> .../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 16 ++++++++++-
> SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 19 ++++++++++---
> SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 14 ++++++++--
> SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c | 31
> +++++++++++++++++++++-
> SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c | 10 ++++++-
> SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c | 6 ++++-
> 7 files changed, 107 insertions(+), 10 deletions(-)
>
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
> index 79e80fb7a9..42afe107a6 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
> @@ -1,9 +1,9 @@
> /** @file
> Implement TPM2 Capability related command.
>
> -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
> This program and the accompanying materials are licensed and made
> available under the terms and conditions of the BSD License which
> accompanies this distribution. The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
>
> @@ -110,10 +110,18 @@ Tpm2GetCapability (
>
> if (RecvBufferSize <= sizeof (TPM2_RESPONSE_HEADER) + sizeof (UINT8)) {
> return EFI_DEVICE_ERROR;
> }
>
> + //
> + // Fail if command failed
> + //
> + if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {
> + DEBUG ((EFI_D_ERROR, "Tpm2GetCapability: Response Code error!
> 0x%08x\r\n", SwapBytes32(RecvBuffer.Header.responseCode)));
> + return EFI_DEVICE_ERROR;
> + }
> +
> //
> // Return the response
> //
> *MoreData = RecvBuffer.MoreData;
> //
> @@ -327,10 +335,14 @@ Tpm2GetCapabilitySupportedAlg (
> }
>
> CopyMem (AlgList, &TpmCap.data.algorithms, sizeof
> (TPML_ALG_PROPERTY));
>
> AlgList->count = SwapBytes32 (AlgList->count);
> + if (AlgList->count > MAX_CAP_ALGS) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> for (Index = 0; Index < AlgList->count; Index++) {
> AlgList->algProperties[Index].alg = SwapBytes16
> (AlgList->algProperties[Index].alg);
> WriteUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].algProperties,
> SwapBytes32 (ReadUnaligned32 ((UINT32
> *)&AlgList->algProperties[Index].algProperties)));
> }
>
> @@ -474,13 +486,20 @@ Tpm2GetCapabilityPcrs (
> if (EFI_ERROR (Status)) {
> return Status;
> }
>
> Pcrs->count = SwapBytes32 (TpmCap.data.assignedPCR.count);
> + if (Pcrs->count > HASH_COUNT) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> for (Index = 0; Index < Pcrs->count; Index++) {
> Pcrs->pcrSelections[Index].hash = SwapBytes16
> (TpmCap.data.assignedPCR.pcrSelections[Index].hash);
> Pcrs->pcrSelections[Index].sizeofSelect =
> TpmCap.data.assignedPCR.pcrSelections[Index].sizeofSelect;
> + if (Pcrs->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (Pcrs->pcrSelections[Index].pcrSelect,
> TpmCap.data.assignedPCR.pcrSelections[Index].pcrSelect,
> Pcrs->pcrSelections[Index].sizeofSelect);
> }
>
> return EFI_SUCCESS;
> }
> diff --git
> a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
> index 6f6b3693f8..3e42875b83 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
> @@ -1,9 +1,9 @@
> /** @file
> Implement TPM2 EnhancedAuthorization related command.
>
> -Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved. <BR>
> This program and the accompanying materials are licensed and made
> available under the terms and conditions of the BSD License which
> accompanies this distribution. The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
>
> @@ -178,19 +178,29 @@ Tpm2PolicySecret (
> //
> // Return the response
> //
> Buffer = (UINT8 *)&RecvBuffer.Timeout;
> Timeout->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));
> + if (Timeout->size > sizeof(UINT64)) {
> + Status = EFI_DEVICE_ERROR;
> + goto Done;
> + }
> +
> Buffer += sizeof(UINT16);
> CopyMem (Timeout->buffer, Buffer, Timeout->size);
>
> PolicyTicket->tag = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));
> Buffer += sizeof(UINT16);
> PolicyTicket->hierarchy = SwapBytes32(ReadUnaligned32 ((UINT32
> *)Buffer));
> Buffer += sizeof(UINT32);
> PolicyTicket->digest.size = SwapBytes16(ReadUnaligned16 ((UINT16
> *)Buffer));
> Buffer += sizeof(UINT16);
> + if (PolicyTicket->digest.size > sizeof(TPMU_HA)) {
> + Status = EFI_DEVICE_ERROR;
> + goto Done;
> + }
> +
> CopyMem (PolicyTicket->digest.buffer, Buffer, PolicyTicket->digest.size);
>
> Done:
> //
> // Clear AuthSession Content
> @@ -377,9 +387,13 @@ Tpm2PolicyGetDigest (
>
> //
> // Return the response
> //
> PolicyHash->size = SwapBytes16 (RecvBuffer.PolicyHash.size);
> + if (PolicyHash->size > sizeof(TPMU_HA)) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> CopyMem (PolicyHash->buffer, &RecvBuffer.PolicyHash.buffer,
> PolicyHash->size);
>
> return EFI_SUCCESS;
> }
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
> index 8eacfe6c13..9c0b70dd93 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
> @@ -1,9 +1,9 @@
> /** @file
> Implement TPM2 Integrity related command.
>
> -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
> This program and the accompanying materials are licensed and made
> available under the terms and conditions of the BSD License which
> accompanies this distribution. The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
>
> @@ -277,10 +277,14 @@ Tpm2PcrEvent (
> // Unmarshal the response
> //
> Buffer = (UINT8 *)&Res.Digests;
>
> Digests->count = SwapBytes32 (ReadUnaligned32 ((UINT32 *)Buffer));
> + if (Digests->count > HASH_COUNT) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> Buffer += sizeof(UINT32);
> for (Index = 0; Index < Digests->count; Index++) {
> Digests->digests[Index].hashAlg = SwapBytes16 (ReadUnaligned16
> ((UINT16 *)Buffer));
> Buffer += sizeof(UINT16);
> DigestSize = GetHashSizeFromAlgo (Digests->digests[Index].hashAlg);
> @@ -381,28 +385,37 @@ Tpm2PcrRead (
> if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) +
> sizeof(RecvBuffer.PcrUpdateCounter) +
> sizeof(RecvBuffer.PcrSelectionOut.count)) {
> DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n",
> RecvBufferSize));
> return EFI_DEVICE_ERROR;
> }
> PcrSelectionOut->count = SwapBytes32(RecvBuffer.PcrSelectionOut.count);
> - if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) +
> sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count)
> + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count)
> {
> - DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n",
> RecvBufferSize));
> + if (PcrSelectionOut->count > HASH_COUNT || RecvBufferSize < sizeof
> (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) +
> sizeof(RecvBuffer.PcrSelectionOut.count) +
> sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) {
> + DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - Digests->count -%x or
> + RecvBufferSize Error - %x\n", PcrSelectionOut->count,
> + RecvBufferSize));
> return EFI_DEVICE_ERROR;
> }
> for (Index = 0; Index < PcrSelectionOut->count; Index++) {
> PcrSelectionOut->pcrSelections[Index].hash =
> SwapBytes16(RecvBuffer.PcrSelectionOut.pcrSelections[Index].hash);
> PcrSelectionOut->pcrSelections[Index].sizeofSelect =
> RecvBuffer.PcrSelectionOut.pcrSelections[Index].sizeofSelect;
> + if (PcrSelectionOut->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX)
> {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (&PcrSelectionOut->pcrSelections[Index].pcrSelect,
> &RecvBuffer.PcrSelectionOut.pcrSelections[Index].pcrSelect,
> PcrSelectionOut->pcrSelections[Index].sizeofSelect);
> }
>
> //
> // PcrValues
> //
> PcrValuesOut = (TPML_DIGEST *)((UINT8 *)&RecvBuffer + sizeof
> (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) +
> sizeof(RecvBuffer.PcrSelectionOut.count) +
> sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count);
> PcrValues->count = SwapBytes32(PcrValuesOut->count);
> + if (PcrValues->count > 8) {
> + return EFI_DEVICE_ERROR;
> + }
> Digests = PcrValuesOut->digests;
> for (Index = 0; Index < PcrValues->count; Index++) {
> PcrValues->digests[Index].size = SwapBytes16(Digests->size);
> + if (PcrValues->digests[Index].size > sizeof(TPMU_HA)) {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (&PcrValues->digests[Index].buffer, &Digests->buffer,
> PcrValues->digests[Index].size);
> Digests = (TPM2B_DIGEST *)((UINT8 *)Digests + sizeof(Digests->size) +
> PcrValues->digests[Index].size);
> }
>
> return EFI_SUCCESS;
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> index 9508022132..2b87260764 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> @@ -1,9 +1,9 @@
> /** @file
> Implement TPM2 NVStorage related command.
>
> -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
> This program and the accompanying materials are licensed and made
> available under the terms and conditions of the BSD License which
> accompanies this distribution. The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
>
> @@ -232,13 +232,18 @@ Tpm2NvReadPublic (
>
> //
> // Basic check
> //
> NvPublicSize = SwapBytes16 (RecvBuffer.NvPublic.size);
> + if (NvPublicSize > sizeof(TPMS_NV_PUBLIC)) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> NvNameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8
> *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) +
> NvPublicSize)));
>
> - if (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) +
> NvPublicSize + sizeof(UINT16) + NvNameSize) {
> + if (NvNameSize > sizeof(TPMU_NAME) ||
> + (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16)
> + + NvPublicSize + sizeof(UINT16) + NvNameSize)) {
> DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error -
> NvPublicSize %x, NvNameSize %x\n", RecvBufferSize, NvNameSize));
> return EFI_NOT_FOUND;
> }
>
> //
> @@ -630,10 +635,15 @@ Tpm2NvRead (
>
> //
> // Return the response
> //
> OutData->size = SwapBytes16 (RecvBuffer.Data.size);
> + if (OutData->size > MAX_DIGEST_BUFFER) {
> + Status = EFI_DEVICE_ERROR;
> + goto Done;
> + }
> +
> CopyMem (OutData->buffer, &RecvBuffer.Data.buffer, OutData->size);
>
> Done:
> //
> // Clear AuthSession Content
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
> index e070ff2f74..e9f693b65d 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
> @@ -1,9 +1,9 @@
> /** @file
> Implement TPM2 Object related command.
>
> -Copyright (c) 2017, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved. <BR>
> This program and the accompanying materials are licensed and made
> available under the terms and conditions of the BSD License which
> accompanies this distribution. The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
>
> @@ -107,15 +107,26 @@ Tpm2ReadPublic (
>
> //
> // Basic check
> //
> OutPublicSize = SwapBytes16 (RecvBuffer.OutPublic.size);
> + if (OutPublicSize > sizeof(TPMT_PUBLIC)) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> NameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8
> *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) +
> sizeof(UINT16) + OutPublicSize)));
> + if (NameSize > sizeof(TPMU_NAME)) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> QualifiedNameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8
> *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) +
> sizeof(UINT16) + OutPublicSize +
> sizeof(UINT16) + NameSize)));
> + if (QualifiedNameSize > sizeof(TPMU_NAME)) {
> + return EFI_DEVICE_ERROR;
> + }
>
> if (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) +
> OutPublicSize + sizeof(UINT16) + NameSize + sizeof(UINT16) +
> QualifiedNameSize) {
> DEBUG ((DEBUG_ERROR, "Tpm2ReadPublic - RecvBufferSize %x Error -
> OutPublicSize %x, NameSize %x, QualifiedNameSize %x\n", RecvBufferSize,
> OutPublicSize, NameSize, QualifiedNameSize));
> return EFI_DEVICE_ERROR;
> }
> @@ -130,10 +141,13 @@ Tpm2ReadPublic (
> OutPublic->publicArea.nameAlg = SwapBytes16
> (OutPublic->publicArea.nameAlg);
> WriteUnaligned32 ((UINT32 *)&OutPublic->publicArea.objectAttributes,
> SwapBytes32 (ReadUnaligned32 ((UINT32
> *)&OutPublic->publicArea.objectAttributes)));
> Buffer = (UINT8 *)&RecvBuffer.OutPublic.publicArea.authPolicy;
> OutPublic->publicArea.authPolicy.size = SwapBytes16 (ReadUnaligned16
> ((UINT16 *)Buffer));
> Buffer += sizeof(UINT16);
> + if (OutPublic->publicArea.authPolicy.size > sizeof(TPMU_HA)) {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (OutPublic->publicArea.authPolicy.buffer, Buffer,
> OutPublic->publicArea.authPolicy.size);
> Buffer += OutPublic->publicArea.authPolicy.size;
>
> // TPMU_PUBLIC_PARMS
> switch (OutPublic->publicArea.type) { @@ -305,32 +319,47 @@
> Tpm2ReadPublic (
> // TPMU_PUBLIC_ID
> switch (OutPublic->publicArea.type) {
> case TPM_ALG_KEYEDHASH:
> OutPublic->publicArea.unique.keyedHash.size = SwapBytes16
> (ReadUnaligned16 ((UINT16 *)Buffer));
> Buffer += sizeof(UINT16);
> + if(OutPublic->publicArea.unique.keyedHash.size > sizeof(TPMU_HA)) {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (OutPublic->publicArea.unique.keyedHash.buffer, Buffer,
> OutPublic->publicArea.unique.keyedHash.size);
> Buffer += OutPublic->publicArea.unique.keyedHash.size;
> break;
> case TPM_ALG_SYMCIPHER:
> OutPublic->publicArea.unique.sym.size = SwapBytes16 (ReadUnaligned16
> ((UINT16 *)Buffer));
> Buffer += sizeof(UINT16);
> + if(OutPublic->publicArea.unique.sym.size > sizeof(TPMU_HA)) {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (OutPublic->publicArea.unique.sym.buffer, Buffer,
> OutPublic->publicArea.unique.sym.size);
> Buffer += OutPublic->publicArea.unique.sym.size;
> break;
> case TPM_ALG_RSA:
> OutPublic->publicArea.unique.rsa.size = SwapBytes16 (ReadUnaligned16
> ((UINT16 *)Buffer));
> Buffer += sizeof(UINT16);
> + if(OutPublic->publicArea.unique.rsa.size > MAX_RSA_KEY_BYTES) {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (OutPublic->publicArea.unique.rsa.buffer, Buffer,
> OutPublic->publicArea.unique.rsa.size);
> Buffer += OutPublic->publicArea.unique.rsa.size;
> break;
> case TPM_ALG_ECC:
> OutPublic->publicArea.unique.ecc.x.size = SwapBytes16
> (ReadUnaligned16 ((UINT16 *)Buffer));
> Buffer += sizeof(UINT16);
> + if (OutPublic->publicArea.unique.ecc.x.size > MAX_ECC_KEY_BYTES) {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (OutPublic->publicArea.unique.ecc.x.buffer, Buffer,
> OutPublic->publicArea.unique.ecc.x.size);
> Buffer += OutPublic->publicArea.unique.ecc.x.size;
> OutPublic->publicArea.unique.ecc.y.size = SwapBytes16 (ReadUnaligned16
> ((UINT16 *)Buffer));
> Buffer += sizeof(UINT16);
> + if (OutPublic->publicArea.unique.ecc.y.size > MAX_ECC_KEY_BYTES) {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (OutPublic->publicArea.unique.ecc.y.buffer, Buffer,
> OutPublic->publicArea.unique.ecc.y.size);
> Buffer += OutPublic->publicArea.unique.ecc.y.size;
> break;
> default:
> return EFI_UNSUPPORTED;
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
> index 305b6f2078..68a445bafc 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
> @@ -1,9 +1,9 @@
> /** @file
> Implement TPM2 Sequences related command.
>
> -Copyright (c) 2013, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
> This program and the accompanying materials are licensed and made
> available under the terms and conditions of the BSD License which
> accompanies this distribution. The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
>
> @@ -373,10 +373,14 @@ Tpm2EventSequenceComplete (
>
> BufferPtr = (UINT8 *)&Res.Results;
>
> // count
> Results->count = SwapBytes32(ReadUnaligned32 ((UINT32 *)BufferPtr));
> + if (Results->count > HASH_COUNT) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> BufferPtr += sizeof(UINT32);
>
> for (Index = 0; Index < Results->count; Index++) {
> Results->digests[Index].hashAlg = SwapBytes16(ReadUnaligned16
> ((UINT16 *)BufferPtr));
> BufferPtr += sizeof(UINT16);
> @@ -494,10 +498,14 @@ Tpm2SequenceComplete (
>
> BufferPtr = (UINT8 *)&Res.Digest;
>
> // digestSize
> Result->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)BufferPtr));
> + if (Result->size > sizeof(TPMU_HA)){
> + return EFI_DEVICE_ERROR;
> + }
> +
> BufferPtr += sizeof(UINT16);
>
> CopyMem(
> Result->buffer,
> BufferPtr,
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
> index f03b6689ac..0c9b310e54 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
> @@ -1,9 +1,9 @@
> /** @file
> Implement TPM2 Session related command.
>
> -Copyright (c) 2014, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved. <BR>
> This program and the accompanying materials are licensed and made
> available under the terms and conditions of the BSD License which
> accompanies this distribution. The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
>
> @@ -161,9 +161,13 @@ Tpm2StartAuthSession (
> //
> // Return the response
> //
> *SessionHandle = SwapBytes32 (RecvBuffer.SessionHandle);
> NonceTPM->size = SwapBytes16 (RecvBuffer.NonceTPM.size);
> + if (NonceTPM->size > sizeof(TPMU_HA)) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> CopyMem (NonceTPM->buffer, &RecvBuffer.NonceTPM.buffer,
> NonceTPM->size);
>
> return EFI_SUCCESS;
> }
> --
> 2.16.2.windows.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow
2018-03-21 6:39 ` Yao, Jiewen
@ 2018-03-21 6:49 ` Zhang, Chao B
0 siblings, 0 replies; 5+ messages in thread
From: Zhang, Chao B @ 2018-03-21 6:49 UTC (permalink / raw)
To: Yao, Jiewen, Long, Qin, edk2-devel@lists.01.org
Good catch! Jiewen, I will add more check in CopyAuthSessionResponse()
From: Yao, Jiewen
Sent: Wednesday, March 21, 2018 2:39 PM
To: Zhang, Chao B <chao.b.zhang@intel.com>; Long, Qin <qin.long@intel.com>; edk2-devel@lists.01.org
Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow
Some thought:
1) Would you please add debug message on every error check you added? Just like the original code does.
2) For below, can we separate the check, and add error message for each failure?
Tpm2Integrity.c:
if (PcrSelectionOut->count > HASH_COUNT || RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) {
DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - Digests->count -%x or RecvBufferSize Error - %x\n", PcrSelectionOut->count, RecvBufferSize));
return EFI_DEVICE_ERROR;
}
3) For below, can we separate the check, and add error message for each failure?
Tpm2NvStorage.c
if (NvNameSize > sizeof(TPMU_NAME) ||
(RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + NvPublicSize + sizeof(UINT16) + NvNameSize)) {
DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error - NvPublicSize %x, NvNameSize %x\n", RecvBufferSize, NvNameSize));
return EFI_NOT_FOUND;
}
4) Do you think if we need add check for nonce.size below as well?
Tpm2Help.c
// nonce
AuthSessionOut->nonce.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
CopyMem (AuthSessionOut->nonce.buffer, Buffer, AuthSessionOut->nonce.size);
Buffer += AuthSessionOut->nonce.size;
Thank you
Yao Jiewen
> -----Original Message-----
> From: Zhang, Chao B
> Sent: Wednesday, March 21, 2018 11:03 AM
> To: Long, Qin <qin.long@intel.com<mailto:qin.long@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> Cc: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response
> memory overflow
>
> Thanks Qin, I will add more comments to explain the magic code
>
> -----Original Message-----
> From: Long, Qin
> Sent: Wednesday, March 21, 2018 10:58 AM
> To: Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> Cc: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response
> memory overflow
>
> Hi, Chao,
>
> One minor suggestion to add the comment to explain the following value "8": the
> number of digests in list is not greater than 8 per TPML_DIGEST definition.
> + if (PcrValues->count > 8) {
> + return EFI_DEVICE_ERROR;
> + }
>
> Other looks good to me.
>
> Reviewed-by: Long Qin <qin.long@intel.com<mailto:qin.long@intel.com>>
>
>
> Best Regards & Thanks,
> LONG, Qin
>
> -----Original Message-----
> From: Zhang, Chao B
> Sent: Tuesday, March 20, 2018 4:36 PM
> To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> Cc: Long, Qin <qin.long@intel.com<mailto:qin.long@intel.com>>; Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>;
> Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>
> Subject: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory
> overflow
>
> TPM2.0 command lib always assumes TPM device and transmission channel can
> respond correctly. But it is not true when communication channel is exploited
> and wrong data is spoofed. Add more logic to prohibit memory overflow attack.
>
> Cc: Long Qin <qin.long@intel.com<mailto:qin.long@intel.com>>
> Cc: Yao Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Chao Zhang <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>
> Signed-off-by: Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>
> ---
> .../Library/Tpm2CommandLib/Tpm2Capability.c | 21
> ++++++++++++++-
> .../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 16 ++++++++++-
> SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 19 ++++++++++---
> SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 14 ++++++++--
> SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c | 31
> +++++++++++++++++++++-
> SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c | 10 ++++++-
> SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c | 6 ++++-
> 7 files changed, 107 insertions(+), 10 deletions(-)
>
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
> index 79e80fb7a9..42afe107a6 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
> @@ -1,9 +1,9 @@
> /** @file
> Implement TPM2 Capability related command.
>
> -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
> This program and the accompanying materials are licensed and made
> available under the terms and conditions of the BSD License which
> accompanies this distribution. The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
>
> @@ -110,10 +110,18 @@ Tpm2GetCapability (
>
> if (RecvBufferSize <= sizeof (TPM2_RESPONSE_HEADER) + sizeof (UINT8)) {
> return EFI_DEVICE_ERROR;
> }
>
> + //
> + // Fail if command failed
> + //
> + if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {
> + DEBUG ((EFI_D_ERROR, "Tpm2GetCapability: Response Code error!
> 0x%08x\r\n", SwapBytes32(RecvBuffer.Header.responseCode)));
> + return EFI_DEVICE_ERROR;
> + }
> +
> //
> // Return the response
> //
> *MoreData = RecvBuffer.MoreData;
> //
> @@ -327,10 +335,14 @@ Tpm2GetCapabilitySupportedAlg (
> }
>
> CopyMem (AlgList, &TpmCap.data.algorithms, sizeof
> (TPML_ALG_PROPERTY));
>
> AlgList->count = SwapBytes32 (AlgList->count);
> + if (AlgList->count > MAX_CAP_ALGS) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> for (Index = 0; Index < AlgList->count; Index++) {
> AlgList->algProperties[Index].alg = SwapBytes16
> (AlgList->algProperties[Index].alg);
> WriteUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].algProperties,
> SwapBytes32 (ReadUnaligned32 ((UINT32
> *)&AlgList->algProperties[Index].algProperties)));
> }
>
> @@ -474,13 +486,20 @@ Tpm2GetCapabilityPcrs (
> if (EFI_ERROR (Status)) {
> return Status;
> }
>
> Pcrs->count = SwapBytes32 (TpmCap.data.assignedPCR.count);
> + if (Pcrs->count > HASH_COUNT) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> for (Index = 0; Index < Pcrs->count; Index++) {
> Pcrs->pcrSelections[Index].hash = SwapBytes16
> (TpmCap.data.assignedPCR.pcrSelections[Index].hash);
> Pcrs->pcrSelections[Index].sizeofSelect =
> TpmCap.data.assignedPCR.pcrSelections[Index].sizeofSelect;
> + if (Pcrs->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (Pcrs->pcrSelections[Index].pcrSelect,
> TpmCap.data.assignedPCR.pcrSelections[Index].pcrSelect,
> Pcrs->pcrSelections[Index].sizeofSelect);
> }
>
> return EFI_SUCCESS;
> }
> diff --git
> a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
> index 6f6b3693f8..3e42875b83 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
> @@ -1,9 +1,9 @@
> /** @file
> Implement TPM2 EnhancedAuthorization related command.
>
> -Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved. <BR>
> This program and the accompanying materials are licensed and made
> available under the terms and conditions of the BSD License which
> accompanies this distribution. The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
>
> @@ -178,19 +178,29 @@ Tpm2PolicySecret (
> //
> // Return the response
> //
> Buffer = (UINT8 *)&RecvBuffer.Timeout;
> Timeout->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));
> + if (Timeout->size > sizeof(UINT64)) {
> + Status = EFI_DEVICE_ERROR;
> + goto Done;
> + }
> +
> Buffer += sizeof(UINT16);
> CopyMem (Timeout->buffer, Buffer, Timeout->size);
>
> PolicyTicket->tag = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));
> Buffer += sizeof(UINT16);
> PolicyTicket->hierarchy = SwapBytes32(ReadUnaligned32 ((UINT32
> *)Buffer));
> Buffer += sizeof(UINT32);
> PolicyTicket->digest.size = SwapBytes16(ReadUnaligned16 ((UINT16
> *)Buffer));
> Buffer += sizeof(UINT16);
> + if (PolicyTicket->digest.size > sizeof(TPMU_HA)) {
> + Status = EFI_DEVICE_ERROR;
> + goto Done;
> + }
> +
> CopyMem (PolicyTicket->digest.buffer, Buffer, PolicyTicket->digest.size);
>
> Done:
> //
> // Clear AuthSession Content
> @@ -377,9 +387,13 @@ Tpm2PolicyGetDigest (
>
> //
> // Return the response
> //
> PolicyHash->size = SwapBytes16 (RecvBuffer.PolicyHash.size);
> + if (PolicyHash->size > sizeof(TPMU_HA)) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> CopyMem (PolicyHash->buffer, &RecvBuffer.PolicyHash.buffer,
> PolicyHash->size);
>
> return EFI_SUCCESS;
> }
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
> index 8eacfe6c13..9c0b70dd93 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
> @@ -1,9 +1,9 @@
> /** @file
> Implement TPM2 Integrity related command.
>
> -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
> This program and the accompanying materials are licensed and made
> available under the terms and conditions of the BSD License which
> accompanies this distribution. The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
>
> @@ -277,10 +277,14 @@ Tpm2PcrEvent (
> // Unmarshal the response
> //
> Buffer = (UINT8 *)&Res.Digests;
>
> Digests->count = SwapBytes32 (ReadUnaligned32 ((UINT32 *)Buffer));
> + if (Digests->count > HASH_COUNT) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> Buffer += sizeof(UINT32);
> for (Index = 0; Index < Digests->count; Index++) {
> Digests->digests[Index].hashAlg = SwapBytes16 (ReadUnaligned16
> ((UINT16 *)Buffer));
> Buffer += sizeof(UINT16);
> DigestSize = GetHashSizeFromAlgo (Digests->digests[Index].hashAlg);
> @@ -381,28 +385,37 @@ Tpm2PcrRead (
> if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) +
> sizeof(RecvBuffer.PcrUpdateCounter) +
> sizeof(RecvBuffer.PcrSelectionOut.count)) {
> DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n",
> RecvBufferSize));
> return EFI_DEVICE_ERROR;
> }
> PcrSelectionOut->count = SwapBytes32(RecvBuffer.PcrSelectionOut.count);
> - if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) +
> sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count)
> + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count)
> {
> - DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n",
> RecvBufferSize));
> + if (PcrSelectionOut->count > HASH_COUNT || RecvBufferSize < sizeof
> (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) +
> sizeof(RecvBuffer.PcrSelectionOut.count) +
> sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) {
> + DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - Digests->count -%x or
> + RecvBufferSize Error - %x\n", PcrSelectionOut->count,
> + RecvBufferSize));
> return EFI_DEVICE_ERROR;
> }
> for (Index = 0; Index < PcrSelectionOut->count; Index++) {
> PcrSelectionOut->pcrSelections[Index].hash =
> SwapBytes16(RecvBuffer.PcrSelectionOut.pcrSelections[Index].hash);
> PcrSelectionOut->pcrSelections[Index].sizeofSelect =
> RecvBuffer.PcrSelectionOut.pcrSelections[Index].sizeofSelect;
> + if (PcrSelectionOut->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX)
> {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (&PcrSelectionOut->pcrSelections[Index].pcrSelect,
> &RecvBuffer.PcrSelectionOut.pcrSelections[Index].pcrSelect,
> PcrSelectionOut->pcrSelections[Index].sizeofSelect);
> }
>
> //
> // PcrValues
> //
> PcrValuesOut = (TPML_DIGEST *)((UINT8 *)&RecvBuffer + sizeof
> (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) +
> sizeof(RecvBuffer.PcrSelectionOut.count) +
> sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count);
> PcrValues->count = SwapBytes32(PcrValuesOut->count);
> + if (PcrValues->count > 8) {
> + return EFI_DEVICE_ERROR;
> + }
> Digests = PcrValuesOut->digests;
> for (Index = 0; Index < PcrValues->count; Index++) {
> PcrValues->digests[Index].size = SwapBytes16(Digests->size);
> + if (PcrValues->digests[Index].size > sizeof(TPMU_HA)) {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (&PcrValues->digests[Index].buffer, &Digests->buffer,
> PcrValues->digests[Index].size);
> Digests = (TPM2B_DIGEST *)((UINT8 *)Digests + sizeof(Digests->size) +
> PcrValues->digests[Index].size);
> }
>
> return EFI_SUCCESS;
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> index 9508022132..2b87260764 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> @@ -1,9 +1,9 @@
> /** @file
> Implement TPM2 NVStorage related command.
>
> -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
> This program and the accompanying materials are licensed and made
> available under the terms and conditions of the BSD License which
> accompanies this distribution. The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
>
> @@ -232,13 +232,18 @@ Tpm2NvReadPublic (
>
> //
> // Basic check
> //
> NvPublicSize = SwapBytes16 (RecvBuffer.NvPublic.size);
> + if (NvPublicSize > sizeof(TPMS_NV_PUBLIC)) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> NvNameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8
> *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) +
> NvPublicSize)));
>
> - if (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) +
> NvPublicSize + sizeof(UINT16) + NvNameSize) {
> + if (NvNameSize > sizeof(TPMU_NAME) ||
> + (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16)
> + + NvPublicSize + sizeof(UINT16) + NvNameSize)) {
> DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error -
> NvPublicSize %x, NvNameSize %x\n", RecvBufferSize, NvNameSize));
> return EFI_NOT_FOUND;
> }
>
> //
> @@ -630,10 +635,15 @@ Tpm2NvRead (
>
> //
> // Return the response
> //
> OutData->size = SwapBytes16 (RecvBuffer.Data.size);
> + if (OutData->size > MAX_DIGEST_BUFFER) {
> + Status = EFI_DEVICE_ERROR;
> + goto Done;
> + }
> +
> CopyMem (OutData->buffer, &RecvBuffer.Data.buffer, OutData->size);
>
> Done:
> //
> // Clear AuthSession Content
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
> index e070ff2f74..e9f693b65d 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c
> @@ -1,9 +1,9 @@
> /** @file
> Implement TPM2 Object related command.
>
> -Copyright (c) 2017, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved. <BR>
> This program and the accompanying materials are licensed and made
> available under the terms and conditions of the BSD License which
> accompanies this distribution. The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
>
> @@ -107,15 +107,26 @@ Tpm2ReadPublic (
>
> //
> // Basic check
> //
> OutPublicSize = SwapBytes16 (RecvBuffer.OutPublic.size);
> + if (OutPublicSize > sizeof(TPMT_PUBLIC)) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> NameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8
> *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) +
> sizeof(UINT16) + OutPublicSize)));
> + if (NameSize > sizeof(TPMU_NAME)) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> QualifiedNameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8
> *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) +
> sizeof(UINT16) + OutPublicSize +
> sizeof(UINT16) + NameSize)));
> + if (QualifiedNameSize > sizeof(TPMU_NAME)) {
> + return EFI_DEVICE_ERROR;
> + }
>
> if (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) +
> OutPublicSize + sizeof(UINT16) + NameSize + sizeof(UINT16) +
> QualifiedNameSize) {
> DEBUG ((DEBUG_ERROR, "Tpm2ReadPublic - RecvBufferSize %x Error -
> OutPublicSize %x, NameSize %x, QualifiedNameSize %x\n", RecvBufferSize,
> OutPublicSize, NameSize, QualifiedNameSize));
> return EFI_DEVICE_ERROR;
> }
> @@ -130,10 +141,13 @@ Tpm2ReadPublic (
> OutPublic->publicArea.nameAlg = SwapBytes16
> (OutPublic->publicArea.nameAlg);
> WriteUnaligned32 ((UINT32 *)&OutPublic->publicArea.objectAttributes,
> SwapBytes32 (ReadUnaligned32 ((UINT32
> *)&OutPublic->publicArea.objectAttributes)));
> Buffer = (UINT8 *)&RecvBuffer.OutPublic.publicArea.authPolicy;
> OutPublic->publicArea.authPolicy.size = SwapBytes16 (ReadUnaligned16
> ((UINT16 *)Buffer));
> Buffer += sizeof(UINT16);
> + if (OutPublic->publicArea.authPolicy.size > sizeof(TPMU_HA)) {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (OutPublic->publicArea.authPolicy.buffer, Buffer,
> OutPublic->publicArea.authPolicy.size);
> Buffer += OutPublic->publicArea.authPolicy.size;
>
> // TPMU_PUBLIC_PARMS
> switch (OutPublic->publicArea.type) { @@ -305,32 +319,47 @@
> Tpm2ReadPublic (
> // TPMU_PUBLIC_ID
> switch (OutPublic->publicArea.type) {
> case TPM_ALG_KEYEDHASH:
> OutPublic->publicArea.unique.keyedHash.size = SwapBytes16
> (ReadUnaligned16 ((UINT16 *)Buffer));
> Buffer += sizeof(UINT16);
> + if(OutPublic->publicArea.unique.keyedHash.size > sizeof(TPMU_HA)) {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (OutPublic->publicArea.unique.keyedHash.buffer, Buffer,
> OutPublic->publicArea.unique.keyedHash.size);
> Buffer += OutPublic->publicArea.unique.keyedHash.size;
> break;
> case TPM_ALG_SYMCIPHER:
> OutPublic->publicArea.unique.sym.size = SwapBytes16 (ReadUnaligned16
> ((UINT16 *)Buffer));
> Buffer += sizeof(UINT16);
> + if(OutPublic->publicArea.unique.sym.size > sizeof(TPMU_HA)) {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (OutPublic->publicArea.unique.sym.buffer, Buffer,
> OutPublic->publicArea.unique.sym.size);
> Buffer += OutPublic->publicArea.unique.sym.size;
> break;
> case TPM_ALG_RSA:
> OutPublic->publicArea.unique.rsa.size = SwapBytes16 (ReadUnaligned16
> ((UINT16 *)Buffer));
> Buffer += sizeof(UINT16);
> + if(OutPublic->publicArea.unique.rsa.size > MAX_RSA_KEY_BYTES) {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (OutPublic->publicArea.unique.rsa.buffer, Buffer,
> OutPublic->publicArea.unique.rsa.size);
> Buffer += OutPublic->publicArea.unique.rsa.size;
> break;
> case TPM_ALG_ECC:
> OutPublic->publicArea.unique.ecc.x.size = SwapBytes16
> (ReadUnaligned16 ((UINT16 *)Buffer));
> Buffer += sizeof(UINT16);
> + if (OutPublic->publicArea.unique.ecc.x.size > MAX_ECC_KEY_BYTES) {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (OutPublic->publicArea.unique.ecc.x.buffer, Buffer,
> OutPublic->publicArea.unique.ecc.x.size);
> Buffer += OutPublic->publicArea.unique.ecc.x.size;
> OutPublic->publicArea.unique.ecc.y.size = SwapBytes16 (ReadUnaligned16
> ((UINT16 *)Buffer));
> Buffer += sizeof(UINT16);
> + if (OutPublic->publicArea.unique.ecc.y.size > MAX_ECC_KEY_BYTES) {
> + return EFI_DEVICE_ERROR;
> + }
> CopyMem (OutPublic->publicArea.unique.ecc.y.buffer, Buffer,
> OutPublic->publicArea.unique.ecc.y.size);
> Buffer += OutPublic->publicArea.unique.ecc.y.size;
> break;
> default:
> return EFI_UNSUPPORTED;
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
> index 305b6f2078..68a445bafc 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
> @@ -1,9 +1,9 @@
> /** @file
> Implement TPM2 Sequences related command.
>
> -Copyright (c) 2013, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
> This program and the accompanying materials are licensed and made
> available under the terms and conditions of the BSD License which
> accompanies this distribution. The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
>
> @@ -373,10 +373,14 @@ Tpm2EventSequenceComplete (
>
> BufferPtr = (UINT8 *)&Res.Results;
>
> // count
> Results->count = SwapBytes32(ReadUnaligned32 ((UINT32 *)BufferPtr));
> + if (Results->count > HASH_COUNT) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> BufferPtr += sizeof(UINT32);
>
> for (Index = 0; Index < Results->count; Index++) {
> Results->digests[Index].hashAlg = SwapBytes16(ReadUnaligned16
> ((UINT16 *)BufferPtr));
> BufferPtr += sizeof(UINT16);
> @@ -494,10 +498,14 @@ Tpm2SequenceComplete (
>
> BufferPtr = (UINT8 *)&Res.Digest;
>
> // digestSize
> Result->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)BufferPtr));
> + if (Result->size > sizeof(TPMU_HA)){
> + return EFI_DEVICE_ERROR;
> + }
> +
> BufferPtr += sizeof(UINT16);
>
> CopyMem(
> Result->buffer,
> BufferPtr,
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
> index f03b6689ac..0c9b310e54 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
> @@ -1,9 +1,9 @@
> /** @file
> Implement TPM2 Session related command.
>
> -Copyright (c) 2014, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved. <BR>
> This program and the accompanying materials are licensed and made
> available under the terms and conditions of the BSD License which
> accompanies this distribution. The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
>
> @@ -161,9 +161,13 @@ Tpm2StartAuthSession (
> //
> // Return the response
> //
> *SessionHandle = SwapBytes32 (RecvBuffer.SessionHandle);
> NonceTPM->size = SwapBytes16 (RecvBuffer.NonceTPM.size);
> + if (NonceTPM->size > sizeof(TPMU_HA)) {
> + return EFI_DEVICE_ERROR;
> + }
> +
> CopyMem (NonceTPM->buffer, &RecvBuffer.NonceTPM.buffer,
> NonceTPM->size);
>
> return EFI_SUCCESS;
> }
> --
> 2.16.2.windows.1
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-03-21 6:43 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-03-20 8:35 [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow Zhang, Chao B
2018-03-21 2:57 ` Long, Qin
2018-03-21 3:03 ` Zhang, Chao B
2018-03-21 6:39 ` Yao, Jiewen
2018-03-21 6:49 ` Zhang, Chao B
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox