From be02dcee3a28cfd2e340dec5b262657aea5e0655 Mon Sep 17 00:00:00 2001 From: czhang46 Date: Fri, 17 Aug 2012 07:59:51 +0000 Subject: Fix TCG protocol PassThroughToTpm() SDL issue Signed-off-by: Chao Zhang Reviewed-by : Dong Guo Reviewed-by : Fu, Siyuan git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13646 6f19259b-4bc3-4df7-8a09-765794883524 --- SecurityPkg/Tcg/TcgDxe/TcgDxe.c | 16 +++++++++++++++- SecurityPkg/Tcg/TcgDxe/TisDxe.c | 18 ++++++++++++++++-- 2 files changed, 31 insertions(+), 3 deletions(-) (limited to 'SecurityPkg/Tcg/TcgDxe') diff --git a/SecurityPkg/Tcg/TcgDxe/TcgDxe.c b/SecurityPkg/Tcg/TcgDxe/TcgDxe.c index 75c6a8978f..fea59c35b6 100644 --- a/SecurityPkg/Tcg/TcgDxe/TcgDxe.c +++ b/SecurityPkg/Tcg/TcgDxe/TcgDxe.c @@ -1,6 +1,13 @@ /** @file This module implements TCG EFI Protocol. - + +Caution: This module requires additional review when modified. +This driver will have external input - TcgDxePassThroughToTpm +This external input must be validated carefully to avoid security issue like +buffer overflow, integer overflow. + +TcgDxePassThroughToTpm() will receive untrusted input and do basic validation. + Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -384,6 +391,13 @@ TcgDxePassThroughToTpm ( { TCG_DXE_DATA *TcgData; + if (TpmInputParameterBlock == NULL || + TpmOutputParameterBlock == NULL || + TpmInputParameterBlockSize == 0 || + TpmOutputParameterBlockSize == 0) { + return EFI_INVALID_PARAMETER; + } + TcgData = TCG_DXE_DATA_FROM_THIS (This); return TisPcExecute ( diff --git a/SecurityPkg/Tcg/TcgDxe/TisDxe.c b/SecurityPkg/Tcg/TcgDxe/TisDxe.c index 68489d3e3f..e7e0f9e405 100644 --- a/SecurityPkg/Tcg/TcgDxe/TisDxe.c +++ b/SecurityPkg/Tcg/TcgDxe/TisDxe.c @@ -233,6 +233,13 @@ TisPcSendV ( return EFI_INVALID_PARAMETER; } + // + // Check input to avoid overflow. + // + if ((UINT32) (~0)- *DataLength < (UINT32)Size) { + return EFI_INVALID_PARAMETER; + } + if(*DataLength + (UINT32) Size > TPMCMDBUFLENGTH) { return EFI_BUFFER_TOO_SMALL; } @@ -291,9 +298,16 @@ TisPcReceiveV ( case 'r': Size = VA_ARG (*ap, UINTN); - if(*DataIndex + (UINT32) Size <= RespSize) { - break; + // + // If overflowed, which means Size is big enough for Response data. + // skip this check. Copy the whole data + // + if ((UINT32) (~0)- *DataIndex >= (UINT32)Size) { + if(*DataIndex + (UINT32) Size <= RespSize) { + break; + } } + *DataFinished = TRUE; if (*DataIndex >= RespSize) { return EFI_SUCCESS; -- cgit v1.2.3