sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow

Browse Source 
TPM2.0 command lib always assumes TPM device and transmission channel can
respond correctly. But it is not true when communication channel is exploited
and wrong data is spoofed. Add more logic to prohibit memory overflow attack.

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
This commit is contained in:
Zhang, Chao B
2018-03-20 16:32:11 +08:00
parent ca2c8725c4
commit dd577319e8
8 changed files with 151 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c
View File

@ -1,7 +1,7 @@
/** @file
Implement TPM2 help.
Copyright (c) 2013 - 2017, Intel Corporation. All rights reserved. <BR>
Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@ -150,7 +150,8 @@ CopyAuthSessionCommand (
@param [in] AuthSessionIn Input AuthSession data in TPM2 response buffer
@param [out] AuthSessionOut Output AuthSession data
@return AuthSession size
@return 0 copy failed
else AuthSession size
**/
UINT32
EFIAPI
@ -171,6 +172,10 @@ CopyAuthSessionResponse (
// nonce
AuthSessionOut->nonce.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
if (AuthSessionOut->nonce.size > sizeof(TPMU_HA)) {
DEBUG ((DEBUG_ERROR, "CopyAuthSessionResponse - nonce.size error %x\n", AuthSessionOut->nonce.size));
return 0;
}
CopyMem (AuthSessionOut->nonce.buffer, Buffer, AuthSessionOut->nonce.size);
Buffer += AuthSessionOut->nonce.size;
@ -182,6 +187,10 @@ CopyAuthSessionResponse (
// hmac
AuthSessionOut->hmac.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof(UINT16);
if (AuthSessionOut->hmac.size > sizeof(TPMU_HA)) {
DEBUG ((DEBUG_ERROR, "CopyAuthSessionResponse - hmac.size error %x\n", AuthSessionOut->hmac.size));
return 0;
}
CopyMem (AuthSessionOut->hmac.buffer, Buffer, AuthSessionOut->hmac.size);
Buffer += AuthSessionOut->hmac.size;