From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id D4602AC1C07 for ; Mon, 18 Mar 2024 23:18:52 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=eKeEnzXBMVuYqrkMEK4pUXzK9o0+9w1bpynRxQUoupw=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20240206; t=1710803931; v=1; b=VbpQF5VY22bB410zLJRt0V/lAFB/mjarTOoVhdSaElj3Q5z5M2w/QEQl+8Tq4LCQqMRXvWp+ CUJoPF7xNrK4PYXqCl5NwiKUtXbxjy0gHKEGIjAgzaasFzhH4qbaLJCJGg3KMaOCGsg0syMHMIY gyzamKgt3IxXk+Zog9ZbSRWtGi8K0IqdBHyEz5B5zPR/C6WDIHNZMy0bSiZb9TzZyE5I1PnQMl3 PeeKQ5DfXVH7azU23P/QwgPPTinwXOFaZf8+gpoOKH5UIqZTaOoiOmzMa9PkaAZuN9isxd1jsCz thYgfwxvyZG0vbMpK3gcnzJ8mfVxWBSfwun8h6hUiX3xQ== X-Received: by 127.0.0.2 with SMTP id Tk1VYY7687511xHBBOhu1GSL; Mon, 18 Mar 2024 16:18:51 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21]) by mx.groups.io with SMTP id smtpd.web10.42443.1710764329067493137 for ; Mon, 18 Mar 2024 05:18:49 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,11016"; a="5510231" X-IronPort-AV: E=Sophos;i="6.07,134,1708416000"; d="scan'208";a="5510231" X-Received: from fmviesa002.fm.intel.com ([10.60.135.142]) by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Mar 2024 05:18:49 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,134,1708416000"; d="scan'208";a="36575949" X-Received: from babiosdev005.gar.corp.intel.com ([10.223.9.180]) by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Mar 2024 05:18:47 -0700 From: "Nayana Patel" To: devel@edk2.groups.io Cc: bhavana.s@intel.com, tabassum.yasmin@intel.com, Nayana Patel Subject: [edk2-devel] [PATCH] Package/Module: edk2-platforms\Features\Intel\UserInterface\UserAuthFeaturePkg Date: Mon, 18 Mar 2024 17:48:26 +0530 Message-Id: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Mon, 18 Mar 2024 16:18:51 -0700 Reply-To: devel@edk2.groups.io,nayana.patel@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: W9IpAItiGwhP8LkcStmTJwq7x7686176AA= Content-Transfer-Encoding: 8bit X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=VbpQF5VY; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4645 Clear out the variable SmmCommunicateSetPassword which contains password before goto Exit. To avoid vulnerability. Signed-off-by: Nayana Patel --- .../UserAuthenticationDxeSmm/UserAuthenticationSmm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c index 98f40c1812..8d7c018688 100644 --- a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c +++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c @@ -499,6 +499,7 @@ SmmPasswordHandler ( if (PasswordLen == sizeof(SmmCommunicateSetPassword.OldPassword)) { DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: OldPassword invalid!\n")); Status = EFI_INVALID_PARAMETER; + ZeroMem (&SmmCommunicateSetPassword, sizeof (SmmCommunicateSetPassword)); goto EXIT; } @@ -510,6 +511,7 @@ SmmPasswordHandler ( } else { Status = EFI_SECURITY_VIOLATION; } + ZeroMem (&SmmCommunicateSetPassword, sizeof (SmmCommunicateSetPassword)); goto EXIT; } -- 2.26.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#116869): https://edk2.groups.io/g/devel/message/116869 Mute This Topic: https://groups.io/mt/105014793/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-