SecurityPkg OpalPasswordSupportLib: Add check to avoid potential buffer overflow.

Current code not check the CommunicationBuffer size before use it. Attacker can read beyond the end of the (untrusted) commbuffer into controlled memory. Attacker can get access outside of valid SMM memory regions. This patch add check before use it. bugz: https://bugzilla.tianocore.org/show_bug.cgi?id=198 Cc: Yao Jiewen <jiewen.yao@intel.com> Cc: Wu Hao <hao.a.wu@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong <eric.dong@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2018-07-31 13:13:20 +08:00
parent c4c7fb388e
commit 87acb6e298
4 changed files with 42 additions and 24 deletions
--- a/SecurityPkg/Tcg/Opal/OpalPasswordSmm/OpalPasswordSmm.h
+++ b/SecurityPkg/Tcg/Opal/OpalPasswordSmm/OpalPasswordSmm.h
@@ -64,10 +64,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 // The payload Length of HDD related ATA commands
 //
 #define HDD_PAYLOAD                      512
-//
-// According to ATA spec, the max Length of hdd password is 32 bytes
-//
-#define OPAL_PASSWORD_MAX_LENGTH         32

 extern VOID                              *mBuffer;

@@ -124,7 +120,7 @@ typedef struct {

  UINT32                                   NvmeNamespaceId;

-  UINT8                                    Password[32];
+  UINT8                                    Password[OPAL_PASSWORD_MAX_LENGTH];
  UINT8                                    PasswordLength;

  UINT32                                   Length;