Fix TCG protocol PassThroughToTpm() SDL issue

Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by : Dong Guo <guo.dong@intel.com> Reviewed-by : Fu, Siyuan <siyuan.fu@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13646 6f19259b-4bc3-4df7-8a09-765794883524
2012-08-17 07:59:51 +00:00 · 2012-08-17 07:59:51 +00:00 · be02dcee3a
parent f58f3de07e
commit be02dcee3a
2 changed files with 31 additions and 3 deletions
--- a/SecurityPkg/Tcg/TcgDxe/TcgDxe.c
+++ b/SecurityPkg/Tcg/TcgDxe/TcgDxe.c
@ -1,6 +1,13 @@
 /** @file  
  This module implements TCG EFI Protocol.
-  
+ 
+Caution: This module requires additional review when modified.
+This driver will have external input - TcgDxePassThroughToTpm
+This external input must be validated carefully to avoid security issue like
+buffer overflow, integer overflow.
+
+TcgDxePassThroughToTpm() will receive untrusted input and do basic validation.
+
 Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials 
 are licensed and made available under the terms and conditions of the BSD License 
@ -384,6 +391,13 @@ TcgDxePassThroughToTpm (
 {
  TCG_DXE_DATA                      *TcgData;

+  if (TpmInputParameterBlock == NULL || 
+      TpmOutputParameterBlock == NULL || 
+      TpmInputParameterBlockSize == 0 ||
+      TpmOutputParameterBlockSize == 0) {
+    return EFI_INVALID_PARAMETER;
+  }
+
  TcgData = TCG_DXE_DATA_FROM_THIS (This);

  return TisPcExecute (
--- a/SecurityPkg/Tcg/TcgDxe/TisDxe.c
+++ b/SecurityPkg/Tcg/TcgDxe/TisDxe.c
@ -233,6 +233,13 @@ TisPcSendV (
      return EFI_INVALID_PARAMETER;
  }

+  //
+  // Check input to avoid overflow.
+  //
+  if ((UINT32) (~0)- *DataLength < (UINT32)Size) {
+    return EFI_INVALID_PARAMETER;
+  }
+
  if(*DataLength + (UINT32) Size > TPMCMDBUFLENGTH) {
    return EFI_BUFFER_TOO_SMALL;
  }
@ -291,9 +298,16 @@ TisPcReceiveV (

    case 'r':
      Size = VA_ARG (*ap, UINTN);
-      if(*DataIndex + (UINT32) Size <= RespSize) {
-        break;
+      //
+      // If overflowed, which means Size is big enough for Response data. 
+      // skip this check. Copy the whole data 
+      //
+      if ((UINT32) (~0)- *DataIndex >= (UINT32)Size) {
+        if(*DataIndex + (UINT32) Size <= RespSize) {
+          break;
+        }
      }
+
      *DataFinished = TRUE;
      if (*DataIndex >= RespSize) {
        return EFI_SUCCESS;