diff --git a/SecurityPkg/Tcg/TcgDxe/TcgDxe.c b/SecurityPkg/Tcg/TcgDxe/TcgDxe.c index 75c6a8978f..fea59c35b6 100644 --- a/SecurityPkg/Tcg/TcgDxe/TcgDxe.c +++ b/SecurityPkg/Tcg/TcgDxe/TcgDxe.c @@ -1,6 +1,13 @@ /** @file This module implements TCG EFI Protocol. - + +Caution: This module requires additional review when modified. +This driver will have external input - TcgDxePassThroughToTpm +This external input must be validated carefully to avoid security issue like +buffer overflow, integer overflow. + +TcgDxePassThroughToTpm() will receive untrusted input and do basic validation. + Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -384,6 +391,13 @@ TcgDxePassThroughToTpm ( { TCG_DXE_DATA *TcgData; + if (TpmInputParameterBlock == NULL || + TpmOutputParameterBlock == NULL || + TpmInputParameterBlockSize == 0 || + TpmOutputParameterBlockSize == 0) { + return EFI_INVALID_PARAMETER; + } + TcgData = TCG_DXE_DATA_FROM_THIS (This); return TisPcExecute ( diff --git a/SecurityPkg/Tcg/TcgDxe/TisDxe.c b/SecurityPkg/Tcg/TcgDxe/TisDxe.c index 68489d3e3f..e7e0f9e405 100644 --- a/SecurityPkg/Tcg/TcgDxe/TisDxe.c +++ b/SecurityPkg/Tcg/TcgDxe/TisDxe.c @@ -233,6 +233,13 @@ TisPcSendV ( return EFI_INVALID_PARAMETER; } + // + // Check input to avoid overflow. + // + if ((UINT32) (~0)- *DataLength < (UINT32)Size) { + return EFI_INVALID_PARAMETER; + } + if(*DataLength + (UINT32) Size > TPMCMDBUFLENGTH) { return EFI_BUFFER_TOO_SMALL; } @@ -291,9 +298,16 @@ TisPcReceiveV ( case 'r': Size = VA_ARG (*ap, UINTN); - if(*DataIndex + (UINT32) Size <= RespSize) { - break; + // + // If overflowed, which means Size is big enough for Response data. + // skip this check. Copy the whole data + // + if ((UINT32) (~0)- *DataIndex >= (UINT32)Size) { + if(*DataIndex + (UINT32) Size <= RespSize) { + break; + } } + *DataFinished = TRUE; if (*DataIndex >= RespSize) { return EFI_SUCCESS;