diff options
| author | czhang46 <czhang46@6f19259b-4bc3-4df7-8a09-765794883524> | 2012-08-17 07:59:51 +0000 |
|---|---|---|
| committer | czhang46 <czhang46@6f19259b-4bc3-4df7-8a09-765794883524> | 2012-08-17 07:59:51 +0000 |
| commit | be02dcee3a28cfd2e340dec5b262657aea5e0655 (patch) | |
| tree | 59e133728c08d04ff58f2066ae218433646b5b60 /SecurityPkg/Tcg/TcgDxe | |
| parent | f58f3de07ef4531828c108ea099ff637f8c52d1f (diff) | |
| download | edk2-be02dcee3a28cfd2e340dec5b262657aea5e0655.tar.gz edk2-be02dcee3a28cfd2e340dec5b262657aea5e0655.tar.bz2 edk2-be02dcee3a28cfd2e340dec5b262657aea5e0655.zip | |
Fix TCG protocol PassThroughToTpm() SDL issue
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by : Dong Guo <guo.dong@intel.com>
Reviewed-by : Fu, Siyuan <siyuan.fu@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13646 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'SecurityPkg/Tcg/TcgDxe')
| -rw-r--r-- | SecurityPkg/Tcg/TcgDxe/TcgDxe.c | 16 | ||||
| -rw-r--r-- | SecurityPkg/Tcg/TcgDxe/TisDxe.c | 18 |
2 files changed, 31 insertions, 3 deletions
diff --git a/SecurityPkg/Tcg/TcgDxe/TcgDxe.c b/SecurityPkg/Tcg/TcgDxe/TcgDxe.c index 75c6a8978f..fea59c35b6 100644 --- a/SecurityPkg/Tcg/TcgDxe/TcgDxe.c +++ b/SecurityPkg/Tcg/TcgDxe/TcgDxe.c @@ -1,6 +1,13 @@ /** @file
This module implements TCG EFI Protocol.
-
+
+Caution: This module requires additional review when modified.
+This driver will have external input - TcgDxePassThroughToTpm
+This external input must be validated carefully to avoid security issue like
+buffer overflow, integer overflow.
+
+TcgDxePassThroughToTpm() will receive untrusted input and do basic validation.
+
Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -384,6 +391,13 @@ TcgDxePassThroughToTpm ( {
TCG_DXE_DATA *TcgData;
+ if (TpmInputParameterBlock == NULL ||
+ TpmOutputParameterBlock == NULL ||
+ TpmInputParameterBlockSize == 0 ||
+ TpmOutputParameterBlockSize == 0) {
+ return EFI_INVALID_PARAMETER;
+ }
+
TcgData = TCG_DXE_DATA_FROM_THIS (This);
return TisPcExecute (
diff --git a/SecurityPkg/Tcg/TcgDxe/TisDxe.c b/SecurityPkg/Tcg/TcgDxe/TisDxe.c index 68489d3e3f..e7e0f9e405 100644 --- a/SecurityPkg/Tcg/TcgDxe/TisDxe.c +++ b/SecurityPkg/Tcg/TcgDxe/TisDxe.c @@ -233,6 +233,13 @@ TisPcSendV ( return EFI_INVALID_PARAMETER;
}
+ //
+ // Check input to avoid overflow.
+ //
+ if ((UINT32) (~0)- *DataLength < (UINT32)Size) {
+ return EFI_INVALID_PARAMETER;
+ }
+
if(*DataLength + (UINT32) Size > TPMCMDBUFLENGTH) {
return EFI_BUFFER_TOO_SMALL;
}
@@ -291,9 +298,16 @@ TisPcReceiveV ( case 'r':
Size = VA_ARG (*ap, UINTN);
- if(*DataIndex + (UINT32) Size <= RespSize) {
- break;
+ //
+ // If overflowed, which means Size is big enough for Response data.
+ // skip this check. Copy the whole data
+ //
+ if ((UINT32) (~0)- *DataIndex >= (UINT32)Size) {
+ if(*DataIndex + (UINT32) Size <= RespSize) {
+ break;
+ }
}
+
*DataFinished = TRUE;
if (*DataIndex >= RespSize) {
return EFI_SUCCESS;
|