tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-07-29 00:24:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix TCG protocol PassThroughToTpm() SDL issue

Browse Source 
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by  : Dong Guo <guo.dong@intel.com>
Reviewed-by  : Fu, Siyuan <siyuan.fu@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13646 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
czhang46 2012-08-17 07:59:51 +00:00
parent f58f3de07e
commit be02dcee3a
2 changed files with 31 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
SecurityPkg/Tcg/TcgDxe/TcgDxe.c
View File

@ -1,6 +1,13 @@
/** @file /** @file
This module implements TCG EFI Protocol. This module implements TCG EFI Protocol.
Caution: This module requires additional review when modified.
This driver will have external input - TcgDxePassThroughToTpm
This external input must be validated carefully to avoid security issue like
buffer overflow, integer overflow.
TcgDxePassThroughToTpm() will receive untrusted input and do basic validation.
Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR> Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
@ -384,6 +391,13 @@ TcgDxePassThroughToTpm (
{ {
TCG_DXE_DATA *TcgData; TCG_DXE_DATA *TcgData;
if (TpmInputParameterBlock == NULL ||
TpmOutputParameterBlock == NULL ||
TpmInputParameterBlockSize == 0 ||
TpmOutputParameterBlockSize == 0) {
return EFI_INVALID_PARAMETER;
}
TcgData = TCG_DXE_DATA_FROM_THIS (This); TcgData = TCG_DXE_DATA_FROM_THIS (This);
return TisPcExecute ( return TisPcExecute (

18
SecurityPkg/Tcg/TcgDxe/TisDxe.c
View File

@ -233,6 +233,13 @@ TisPcSendV (
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
//
// Check input to avoid overflow.
//
if ((UINT32) (~0)- *DataLength < (UINT32)Size) {
return EFI_INVALID_PARAMETER;
}
if(*DataLength + (UINT32) Size > TPMCMDBUFLENGTH) { if(*DataLength + (UINT32) Size > TPMCMDBUFLENGTH) {
return EFI_BUFFER_TOO_SMALL; return EFI_BUFFER_TOO_SMALL;
} }
@ -291,9 +298,16 @@ TisPcReceiveV (
case 'r': case 'r':
Size = VA_ARG (*ap, UINTN); Size = VA_ARG (*ap, UINTN);
if(*DataIndex + (UINT32) Size <= RespSize) { //
break; // If overflowed, which means Size is big enough for Response data.
// skip this check. Copy the whole data
//
if ((UINT32) (~0)- *DataIndex >= (UINT32)Size) {
if(*DataIndex + (UINT32) Size <= RespSize) {
break;
}
} }
*DataFinished = TRUE; *DataFinished = TRUE;
if (*DataIndex >= RespSize) { if (*DataIndex >= RespSize) {
return EFI_SUCCESS; return EFI_SUCCESS;