From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.100; helo=mga07.intel.com; envelope-from=chao.b.zhang@intel.com; receiver=edk2-devel@lists.01.org Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id DA244225E9675 for ; Tue, 20 Mar 2018 19:57:02 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Mar 2018 20:03:32 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,338,1517904000"; d="scan'208";a="29830225" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by fmsmga002.fm.intel.com with ESMTP; 20 Mar 2018 20:03:31 -0700 Received: from fmsmsx112.amr.corp.intel.com (10.18.116.6) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 20 Mar 2018 20:03:31 -0700 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by FMSMSX112.amr.corp.intel.com (10.18.116.6) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 20 Mar 2018 20:03:31 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.80]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.129]) with mapi id 14.03.0319.002; Wed, 21 Mar 2018 11:03:26 +0800 From: "Zhang, Chao B" To: "Long, Qin" , "edk2-devel@lists.01.org" CC: "Yao, Jiewen" Thread-Topic: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow Thread-Index: AQHTwCZ2whYcQUv9+EeUzK8JhPiwnqPZek6AgACHkuA= Date: Wed, 21 Mar 2018 03:03:25 +0000 Message-ID: References: <20180320083533.26316-1-chao.b.zhang@intel.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_NT x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZDExZTQ0NjctZjAwNC00YzdjLWI3YTktYTc4YTAxMTMzZDgzIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjIuNS4xOCIsIlRydXN0ZWRMYWJlbEhhc2giOiJmb3VWekZJVXljWks4UXB0UG1rbVpMSGNIMjlBN296V2psWHZ6SFZLS2hWQzB3NTZxZU9jNkNmT1hZM0pUZW1hIn0= dlp-product: dlpe-windows dlp-version: 11.0.0.116 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2018 02:57:03 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thanks Qin, I will add more comments to explain the magic code -----Original Message----- From: Long, Qin=20 Sent: Wednesday, March 21, 2018 10:58 AM To: Zhang, Chao B ; edk2-devel@lists.01.org Cc: Yao, Jiewen Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory= overflow Hi, Chao, One minor suggestion to add the comment to explain the following value "8":= the number of digests in list is not greater than 8 per TPML_DIGEST defini= tion.=20 + if (PcrValues->count > 8) { + return EFI_DEVICE_ERROR; + } Other looks good to me.=20 Reviewed-by: Long Qin Best Regards & Thanks, LONG, Qin -----Original Message----- From: Zhang, Chao B Sent: Tuesday, March 20, 2018 4:36 PM To: edk2-devel@lists.01.org Cc: Long, Qin ; Yao, Jiewen ; Zha= ng, Chao B Subject: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory ove= rflow TPM2.0 command lib always assumes TPM device and transmission channel can r= espond correctly. But it is not true when communication channel is exploite= d and wrong data is spoofed. Add more logic to prohibit memory overflow att= ack. Cc: Long Qin Cc: Yao Jiewen Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang Signed-off-by: Zhang, Chao B --- .../Library/Tpm2CommandLib/Tpm2Capability.c | 21 ++++++++++++++- .../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 16 ++++++++++- SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 19 ++++++++++--- Sec= urityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 14 ++++++++-- SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c | 31 ++++++++++++++++++= +++- SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c | 10 ++++++- SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c | 6 ++++- 7 files changed, 107 insertions(+), 10 deletions(-) diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c b/Security= Pkg/Library/Tpm2CommandLib/Tpm2Capability.c index 79e80fb7a9..42afe107a6 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 Capability related command. =20 -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made availab= le under the terms and conditions of the BSD License which accompanies thi= s distribution. The full text of the license may be found at http://opens= ource.org/licenses/bsd-license.php =20 @@ -110,10 +110,18 @@ Tpm2GetCapability ( =20 if (RecvBufferSize <=3D sizeof (TPM2_RESPONSE_HEADER) + sizeof (UINT8)) = { return EFI_DEVICE_ERROR; } =20 + // + // Fail if command failed + // + if (SwapBytes32(RecvBuffer.Header.responseCode) !=3D TPM_RC_SUCCESS) { + DEBUG ((EFI_D_ERROR, "Tpm2GetCapability: Response Code error! 0x%08x\r= \n", SwapBytes32(RecvBuffer.Header.responseCode))); + return EFI_DEVICE_ERROR; + } + // // Return the response // *MoreData =3D RecvBuffer.MoreData; // @@ -327,10 +335,14 @@ Tpm2GetCapabilitySupportedAlg ( } =20 CopyMem (AlgList, &TpmCap.data.algorithms, sizeof (TPML_ALG_PROPERTY)); =20 AlgList->count =3D SwapBytes32 (AlgList->count); + if (AlgList->count > MAX_CAP_ALGS) { + return EFI_DEVICE_ERROR; + } + for (Index =3D 0; Index < AlgList->count; Index++) { AlgList->algProperties[Index].alg =3D SwapBytes16 (AlgList->algPropert= ies[Index].alg); WriteUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].algProperti= es, SwapBytes32 (ReadUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].= algProperties))); } =20 @@ -474,13 +486,20 @@ Tpm2GetCapabilityPcrs ( if (EFI_ERROR (Status)) { return Status; } =20 Pcrs->count =3D SwapBytes32 (TpmCap.data.assignedPCR.count); + if (Pcrs->count > HASH_COUNT) { + return EFI_DEVICE_ERROR; + } + for (Index =3D 0; Index < Pcrs->count; Index++) { Pcrs->pcrSelections[Index].hash =3D SwapBytes16 (TpmCap.data.assignedP= CR.pcrSelections[Index].hash); Pcrs->pcrSelections[Index].sizeofSelect =3D TpmCap.data.assignedPCR.pc= rSelections[Index].sizeofSelect; + if (Pcrs->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) { + return EFI_DEVICE_ERROR; + } CopyMem (Pcrs->pcrSelections[Index].pcrSelect, TpmCap.data.assignedPCR= .pcrSelections[Index].pcrSelect, Pcrs->pcrSelections[Index].sizeofSelect); } =20 return EFI_SUCCESS; } diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c= b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c index 6f6b3693f8..3e42875b83 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 EnhancedAuthorization related command. =20 -Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made availab= le under the terms and conditions of the BSD License which accompanies thi= s distribution. The full text of the license may be found at http://opens= ource.org/licenses/bsd-license.php =20 @@ -178,19 +178,29 @@ Tpm2PolicySecret ( // // Return the response // Buffer =3D (UINT8 *)&RecvBuffer.Timeout; Timeout->size =3D SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer)); + if (Timeout->size > sizeof(UINT64)) { + Status =3D EFI_DEVICE_ERROR; + goto Done; + } + Buffer +=3D sizeof(UINT16); CopyMem (Timeout->buffer, Buffer, Timeout->size); =20 PolicyTicket->tag =3D SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer)); Buffer +=3D sizeof(UINT16); PolicyTicket->hierarchy =3D SwapBytes32(ReadUnaligned32 ((UINT32 *)Buffe= r)); Buffer +=3D sizeof(UINT32); PolicyTicket->digest.size =3D SwapBytes16(ReadUnaligned16 ((UINT16 *)Buf= fer)); Buffer +=3D sizeof(UINT16); + if (PolicyTicket->digest.size > sizeof(TPMU_HA)) { + Status =3D EFI_DEVICE_ERROR; + goto Done; + } + CopyMem (PolicyTicket->digest.buffer, Buffer, PolicyTicket->digest.size)= ; =20 Done: // // Clear AuthSession Content @@ -377,9 +387,13 @@ Tpm2PolicyGetDigest ( =20 // // Return the response // PolicyHash->size =3D SwapBytes16 (RecvBuffer.PolicyHash.size); + if (PolicyHash->size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } + CopyMem (PolicyHash->buffer, &RecvBuffer.PolicyHash.buffer, PolicyHash->= size); =20 return EFI_SUCCESS; } diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c b/SecurityP= kg/Library/Tpm2CommandLib/Tpm2Integrity.c index 8eacfe6c13..9c0b70dd93 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 Integrity related command. =20 -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made availab= le under the terms and conditions of the BSD License which accompanies thi= s distribution. The full text of the license may be found at http://opens= ource.org/licenses/bsd-license.php =20 @@ -277,10 +277,14 @@ Tpm2PcrEvent ( // Unmarshal the response // Buffer =3D (UINT8 *)&Res.Digests; =20 Digests->count =3D SwapBytes32 (ReadUnaligned32 ((UINT32 *)Buffer)); + if (Digests->count > HASH_COUNT) { + return EFI_DEVICE_ERROR; + } + Buffer +=3D sizeof(UINT32); for (Index =3D 0; Index < Digests->count; Index++) { Digests->digests[Index].hashAlg =3D SwapBytes16 (ReadUnaligned16 ((UIN= T16 *)Buffer)); Buffer +=3D sizeof(UINT16); DigestSize =3D GetHashSizeFromAlgo (Digests->digests[Index].hashAlg); @@ -381,28 +385,37 @@ Tpm2PcrRead ( if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.P= crUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count)) { DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n", Recv= BufferSize)); return EFI_DEVICE_ERROR; } PcrSelectionOut->count =3D SwapBytes32(RecvBuffer.PcrSelectionOut.count)= ; - if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.P= crUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBu= ffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) { - DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n", Recv= BufferSize)); + if (PcrSelectionOut->count > HASH_COUNT || RecvBufferSize < sizeof (TPM2= _RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer= .PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0= ]) * PcrSelectionOut->count) { + DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - Digests->count -%x or=20 + RecvBufferSize Error - %x\n", PcrSelectionOut->count,=20 + RecvBufferSize)); return EFI_DEVICE_ERROR; } for (Index =3D 0; Index < PcrSelectionOut->count; Index++) { PcrSelectionOut->pcrSelections[Index].hash =3D SwapBytes16(RecvBuffer.= PcrSelectionOut.pcrSelections[Index].hash); PcrSelectionOut->pcrSelections[Index].sizeofSelect =3D RecvBuffer.PcrS= electionOut.pcrSelections[Index].sizeofSelect; + if (PcrSelectionOut->pcrSelections[Index].sizeofSelect > PCR_SELECT_MA= X) { + return EFI_DEVICE_ERROR; + } CopyMem (&PcrSelectionOut->pcrSelections[Index].pcrSelect, &RecvBuffer= .PcrSelectionOut.pcrSelections[Index].pcrSelect, PcrSelectionOut->pcrSelect= ions[Index].sizeofSelect); } =20 // // PcrValues // PcrValuesOut =3D (TPML_DIGEST *)((UINT8 *)&RecvBuffer + sizeof (TPM2_RES= PONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.Pcr= SelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) *= PcrSelectionOut->count); PcrValues->count =3D SwapBytes32(PcrValuesOut->count); + if (PcrValues->count > 8) { + return EFI_DEVICE_ERROR; + } Digests =3D PcrValuesOut->digests; for (Index =3D 0; Index < PcrValues->count; Index++) { PcrValues->digests[Index].size =3D SwapBytes16(Digests->size); + if (PcrValues->digests[Index].size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } CopyMem (&PcrValues->digests[Index].buffer, &Digests->buffer, PcrValue= s->digests[Index].size); Digests =3D (TPM2B_DIGEST *)((UINT8 *)Digests + sizeof(Digests->size) = + PcrValues->digests[Index].size); } =20 return EFI_SUCCESS; diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c b/SecurityP= kg/Library/Tpm2CommandLib/Tpm2NVStorage.c index 9508022132..2b87260764 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 NVStorage related command. =20 -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made availab= le under the terms and conditions of the BSD License which accompanies thi= s distribution. The full text of the license may be found at http://opens= ource.org/licenses/bsd-license.php =20 @@ -232,13 +232,18 @@ Tpm2NvReadPublic ( =20 // // Basic check // NvPublicSize =3D SwapBytes16 (RecvBuffer.NvPublic.size); + if (NvPublicSize > sizeof(TPMS_NV_PUBLIC)) { + return EFI_DEVICE_ERROR; + } + NvNameSize =3D SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBu= ffer + sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + NvPublicSize))); =20 - if (RecvBufferSize !=3D sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + = NvPublicSize + sizeof(UINT16) + NvNameSize) { + if (NvNameSize > sizeof(TPMU_NAME) || + (RecvBufferSize !=3D sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + + NvPublicSize + sizeof(UINT16) + NvNameSize)) { DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error - NvPubl= icSize %x, NvNameSize %x\n", RecvBufferSize, NvNameSize)); return EFI_NOT_FOUND; } =20 // @@ -630,10 +635,15 @@ Tpm2NvRead ( =20 // // Return the response // OutData->size =3D SwapBytes16 (RecvBuffer.Data.size); + if (OutData->size > MAX_DIGEST_BUFFER) { + Status =3D EFI_DEVICE_ERROR; + goto Done; + } + CopyMem (OutData->buffer, &RecvBuffer.Data.buffer, OutData->size); =20 Done: // // Clear AuthSession Content diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c b/SecurityPkg/= Library/Tpm2CommandLib/Tpm2Object.c index e070ff2f74..e9f693b65d 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 Object related command. =20 -Copyright (c) 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made availab= le under the terms and conditions of the BSD License which accompanies thi= s distribution. The full text of the license may be found at http://opens= ource.org/licenses/bsd-license.php =20 @@ -107,15 +107,26 @@ Tpm2ReadPublic ( =20 // // Basic check // OutPublicSize =3D SwapBytes16 (RecvBuffer.OutPublic.size); + if (OutPublicSize > sizeof(TPMT_PUBLIC)) { + return EFI_DEVICE_ERROR; + } + NameSize =3D SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBuff= er + sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + OutPublicSize))); + if (NameSize > sizeof(TPMU_NAME)) { + return EFI_DEVICE_ERROR; + } + QualifiedNameSize =3D SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)= &RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + OutPublicSize + sizeof(UINT16) + NameSize))); + if (QualifiedNameSize > sizeof(TPMU_NAME)) { + return EFI_DEVICE_ERROR; + } =20 if (RecvBufferSize !=3D sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + = OutPublicSize + sizeof(UINT16) + NameSize + sizeof(UINT16) + QualifiedNameS= ize) { DEBUG ((DEBUG_ERROR, "Tpm2ReadPublic - RecvBufferSize %x Error - OutPu= blicSize %x, NameSize %x, QualifiedNameSize %x\n", RecvBufferSize, OutPubli= cSize, NameSize, QualifiedNameSize)); return EFI_DEVICE_ERROR; } @@ -130,10 +141,13 @@ Tpm2ReadPublic ( OutPublic->publicArea.nameAlg =3D SwapBytes16 (OutPublic->publicArea.nam= eAlg); WriteUnaligned32 ((UINT32 *)&OutPublic->publicArea.objectAttributes, Swa= pBytes32 (ReadUnaligned32 ((UINT32 *)&OutPublic->publicArea.objectAttribute= s))); Buffer =3D (UINT8 *)&RecvBuffer.OutPublic.publicArea.authPolicy; OutPublic->publicArea.authPolicy.size =3D SwapBytes16 (ReadUnaligned16 (= (UINT16 *)Buffer)); Buffer +=3D sizeof(UINT16); + if (OutPublic->publicArea.authPolicy.size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.authPolicy.buffer, Buffer, OutPublic->pub= licArea.authPolicy.size); Buffer +=3D OutPublic->publicArea.authPolicy.size; =20 // TPMU_PUBLIC_PARMS switch (OutPublic->publicArea.type) { @@ -305,32 +319,47 @@ Tpm2ReadPubl= ic ( // TPMU_PUBLIC_ID switch (OutPublic->publicArea.type) { case TPM_ALG_KEYEDHASH: OutPublic->publicArea.unique.keyedHash.size =3D SwapBytes16 (ReadUnali= gned16 ((UINT16 *)Buffer)); Buffer +=3D sizeof(UINT16); + if(OutPublic->publicArea.unique.keyedHash.size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.unique.keyedHash.buffer, Buffer, OutPub= lic->publicArea.unique.keyedHash.size); Buffer +=3D OutPublic->publicArea.unique.keyedHash.size; break; case TPM_ALG_SYMCIPHER: OutPublic->publicArea.unique.sym.size =3D SwapBytes16 (ReadUnaligned16= ((UINT16 *)Buffer)); Buffer +=3D sizeof(UINT16); + if(OutPublic->publicArea.unique.sym.size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.unique.sym.buffer, Buffer, OutPublic->p= ublicArea.unique.sym.size); Buffer +=3D OutPublic->publicArea.unique.sym.size; break; case TPM_ALG_RSA: OutPublic->publicArea.unique.rsa.size =3D SwapBytes16 (ReadUnaligned16= ((UINT16 *)Buffer)); Buffer +=3D sizeof(UINT16); + if(OutPublic->publicArea.unique.rsa.size > MAX_RSA_KEY_BYTES) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.unique.rsa.buffer, Buffer, OutPublic->p= ublicArea.unique.rsa.size); Buffer +=3D OutPublic->publicArea.unique.rsa.size; break; case TPM_ALG_ECC: OutPublic->publicArea.unique.ecc.x.size =3D SwapBytes16 (ReadUnaligned= 16 ((UINT16 *)Buffer)); Buffer +=3D sizeof(UINT16); + if (OutPublic->publicArea.unique.ecc.x.size > MAX_ECC_KEY_BYTES) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.unique.ecc.x.buffer, Buffer, OutPublic-= >publicArea.unique.ecc.x.size); Buffer +=3D OutPublic->publicArea.unique.ecc.x.size; OutPublic->publicArea.unique.ecc.y.size =3D SwapBytes16 (ReadUnaligned= 16 ((UINT16 *)Buffer)); Buffer +=3D sizeof(UINT16); + if (OutPublic->publicArea.unique.ecc.y.size > MAX_ECC_KEY_BYTES) { + return EFI_DEVICE_ERROR; + } CopyMem (OutPublic->publicArea.unique.ecc.y.buffer, Buffer, OutPublic-= >publicArea.unique.ecc.y.size); Buffer +=3D OutPublic->publicArea.unique.ecc.y.size; break; default: return EFI_UNSUPPORTED; diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c b/SecurityP= kg/Library/Tpm2CommandLib/Tpm2Sequences.c index 305b6f2078..68a445bafc 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 Sequences related command. =20 -Copyright (c) 2013, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made availab= le under the terms and conditions of the BSD License which accompanies thi= s distribution. The full text of the license may be found at http://opens= ource.org/licenses/bsd-license.php =20 @@ -373,10 +373,14 @@ Tpm2EventSequenceComplete ( =20 BufferPtr =3D (UINT8 *)&Res.Results; =20 // count Results->count =3D SwapBytes32(ReadUnaligned32 ((UINT32 *)BufferPtr)); + if (Results->count > HASH_COUNT) { + return EFI_DEVICE_ERROR; + } + BufferPtr +=3D sizeof(UINT32); =20 for (Index =3D 0; Index < Results->count; Index++) { Results->digests[Index].hashAlg =3D SwapBytes16(ReadUnaligned16 ((UINT= 16 *)BufferPtr)); BufferPtr +=3D sizeof(UINT16); @@ -494,10 +498,14 @@ Tpm2SequenceComplete ( =20 BufferPtr =3D (UINT8 *)&Res.Digest; =20 // digestSize Result->size =3D SwapBytes16(ReadUnaligned16 ((UINT16 *)BufferPtr)); + if (Result->size > sizeof(TPMU_HA)){ + return EFI_DEVICE_ERROR; + } + BufferPtr +=3D sizeof(UINT16); =20 CopyMem( Result->buffer, BufferPtr, diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c b/SecurityPkg= /Library/Tpm2CommandLib/Tpm2Session.c index f03b6689ac..0c9b310e54 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c @@ -1,9 +1,9 @@ /** @file Implement TPM2 Session related command. =20 -Copyright (c) 2014, Intel Corporation. All rights reserved.
+Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made availab= le under the terms and conditions of the BSD License which accompanies thi= s distribution. The full text of the license may be found at http://opens= ource.org/licenses/bsd-license.php =20 @@ -161,9 +161,13 @@ Tpm2StartAuthSession ( // // Return the response // *SessionHandle =3D SwapBytes32 (RecvBuffer.SessionHandle); NonceTPM->size =3D SwapBytes16 (RecvBuffer.NonceTPM.size); + if (NonceTPM->size > sizeof(TPMU_HA)) { + return EFI_DEVICE_ERROR; + } + CopyMem (NonceTPM->buffer, &RecvBuffer.NonceTPM.buffer, NonceTPM->size); =20 return EFI_SUCCESS; } -- 2.16.2.windows.1