SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow

TPM2.0 command lib always assumes TPM device and transmission channel can
respond correctly. But it is not true when communication channel is exploited
and wrong data is spoofed. Add more logic to prohibit memory overflow attack.

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
(cherry picked from commit dd577319e83d13a7ab46ffdccb6635281d2ca9e5)

7 files changed, 111 insertions, 9 deletions

diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
index 97a0d23..1848cba 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
@@ -1,7 +1,7 @@
 /** @file

   Implement TPM2 Capability related command.

 

-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>

+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>

 This program and the accompanying materials

 are licensed and made available under the terms and conditions of the BSD License

 which accompanies this distribution.  The full text of the license may be found at

@@ -113,6 +113,14 @@ Tpm2GetCapability (
   }

 

   //

+  // Fail if command failed

+  //

+  if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {

+    DEBUG ((EFI_D_ERROR, "Tpm2GetCapability: Response Code error! 0x%08x\r\n", SwapBytes32(RecvBuffer.Header.responseCode)));

+    return EFI_DEVICE_ERROR;

+  }

+

+  //

   // Return the response

   //

   *MoreData = RecvBuffer.MoreData;

@@ -329,6 +337,11 @@ Tpm2GetCapabilitySupportedAlg (
   CopyMem (AlgList, &TpmCap.data.algorithms, sizeof (TPML_ALG_PROPERTY));

 

   AlgList->count = SwapBytes32 (AlgList->count);

+  if (AlgList->count > MAX_CAP_ALGS) {

+    DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilitySupportedAlg - AlgList->count error %x\n", AlgList->count));

+    return EFI_DEVICE_ERROR; 

+  }

+

   for (Index = 0; Index < AlgList->count; Index++) {

     AlgList->algProperties[Index].alg = SwapBytes16 (AlgList->algProperties[Index].alg);

     WriteUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].algProperties, SwapBytes32 (ReadUnaligned32 ((UINT32 *)&AlgList->algProperties[Index].algProperties)));

@@ -476,9 +489,18 @@ Tpm2GetCapabilityPcrs (
   }

 

   Pcrs->count = SwapBytes32 (TpmCap.data.assignedPCR.count);

+  if (Pcrs->count > HASH_COUNT) {

+    DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - Pcrs->count error %x\n", Pcrs->count));

+    return EFI_DEVICE_ERROR;

+  }

+

   for (Index = 0; Index < Pcrs->count; Index++) {

     Pcrs->pcrSelections[Index].hash = SwapBytes16 (TpmCap.data.assignedPCR.pcrSelections[Index].hash);

     Pcrs->pcrSelections[Index].sizeofSelect = TpmCap.data.assignedPCR.pcrSelections[Index].sizeofSelect;

+    if (Pcrs->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) {

+      DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - sizeofSelect error %x\n", Pcrs->pcrSelections[Index].sizeofSelect));

+      return EFI_DEVICE_ERROR;

+    }

     CopyMem (Pcrs->pcrSelections[Index].pcrSelect, TpmCap.data.assignedPCR.pcrSelections[Index].pcrSelect, Pcrs->pcrSelections[Index].sizeofSelect);

   }

 

diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
index 6f6b369..a7a7bf2 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
@@ -1,7 +1,7 @@
 /** @file

   Implement TPM2 EnhancedAuthorization related command.

 

-Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved. <BR>

+Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved. <BR>

 This program and the accompanying materials

 are licensed and made available under the terms and conditions of the BSD License

 which accompanies this distribution.  The full text of the license may be found at

@@ -180,6 +180,12 @@ Tpm2PolicySecret (
   //

   Buffer = (UINT8 *)&RecvBuffer.Timeout;

   Timeout->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));

+  if (Timeout->size > sizeof(UINT64)) {

+    DEBUG ((DEBUG_ERROR, "Tpm2PolicySecret - Timeout->size error %x\n", Timeout->size));

+    Status = EFI_DEVICE_ERROR;

+    goto Done;

+  }

+

   Buffer += sizeof(UINT16);

   CopyMem (Timeout->buffer, Buffer, Timeout->size);

 

@@ -189,6 +195,12 @@ Tpm2PolicySecret (
   Buffer += sizeof(UINT32);

   PolicyTicket->digest.size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));

   Buffer += sizeof(UINT16);

+  if (PolicyTicket->digest.size > sizeof(TPMU_HA)) {

+    DEBUG ((DEBUG_ERROR, "Tpm2PolicySecret - digest.size error %x\n", PolicyTicket->digest.size));

+    Status = EFI_DEVICE_ERROR;

+    goto Done;

+  }

+

   CopyMem (PolicyTicket->digest.buffer, Buffer, PolicyTicket->digest.size);

 

 Done:

@@ -379,6 +391,11 @@ Tpm2PolicyGetDigest (
   // Return the response

   //

   PolicyHash->size = SwapBytes16 (RecvBuffer.PolicyHash.size);

+  if (PolicyHash->size > sizeof(TPMU_HA)) {

+    DEBUG ((DEBUG_ERROR, "Tpm2PolicyGetDigest - PolicyHash->size error %x\n", PolicyHash->size));

+    return EFI_DEVICE_ERROR;

+  }

+

   CopyMem (PolicyHash->buffer, &RecvBuffer.PolicyHash.buffer, PolicyHash->size);

 

   return EFI_SUCCESS;

diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c
index 5e24290..e207892 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c
@@ -1,7 +1,7 @@
 /** @file

   Implement TPM2 help.

 

-Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved. <BR>

+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>

 This program and the accompanying materials

 are licensed and made available under the terms and conditions of the BSD License

 which accompanies this distribution.  The full text of the license may be found at

@@ -126,7 +126,8 @@ CopyAuthSessionCommand (
   @param [in]  AuthSessionIn   Input AuthSession data in TPM2 response buffer

   @param [out] AuthSessionOut  Output AuthSession data

 

-  @return AuthSession size

+  @return 0    copy failed

+          else AuthSession size

 **/

 UINT32

 EFIAPI

@@ -147,6 +148,10 @@ CopyAuthSessionResponse (
   // nonce

   AuthSessionOut->nonce.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));

   Buffer += sizeof(UINT16);

+  if (AuthSessionOut->nonce.size > sizeof(TPMU_HA)) {

+    DEBUG ((DEBUG_ERROR, "CopyAuthSessionResponse - nonce.size error %x\n", AuthSessionOut->nonce.size));

+    return 0;

+  }

 

   CopyMem (AuthSessionOut->nonce.buffer, Buffer, AuthSessionOut->nonce.size);

   Buffer += AuthSessionOut->nonce.size;

@@ -158,6 +163,10 @@ CopyAuthSessionResponse (
   // hmac

   AuthSessionOut->hmac.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));

   Buffer += sizeof(UINT16);

+  if (AuthSessionOut->hmac.size > sizeof(TPMU_HA)) {

+    DEBUG ((DEBUG_ERROR, "CopyAuthSessionResponse - hmac.size error %x\n", AuthSessionOut->hmac.size));

+    return 0;

+  }

 

   CopyMem (AuthSessionOut->hmac.buffer, Buffer, AuthSessionOut->hmac.size);

   Buffer += AuthSessionOut->hmac.size;

diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
index fa4318d..75f60e6 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
@@ -1,7 +1,7 @@
 /** @file

   Implement TPM2 Integrity related command.

 

-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>

+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>

 This program and the accompanying materials

 are licensed and made available under the terms and conditions of the BSD License

 which accompanies this distribution.  The full text of the license may be found at

@@ -279,6 +279,11 @@ Tpm2PcrEvent (
   Buffer = (UINT8 *)&Res.Digests;

 

   Digests->count = SwapBytes32 (ReadUnaligned32 ((UINT32 *)Buffer));

+  if (Digests->count > HASH_COUNT) {

+    DEBUG ((DEBUG_ERROR, "Tpm2PcrEvent - Digests->count error %x\n", Digests->count));

+    return EFI_DEVICE_ERROR;

+  }

+

   Buffer += sizeof(UINT32);

   for (Index = 0; Index < Digests->count; Index++) {

     Digests->digests[Index].hashAlg = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));

@@ -383,6 +388,11 @@ Tpm2PcrRead (
     return EFI_DEVICE_ERROR;

   }

   PcrSelectionOut->count = SwapBytes32(RecvBuffer.PcrSelectionOut.count);

+  if (PcrSelectionOut->count > HASH_COUNT) {

+    DEBUG ((DEBUG_ERROR, "Tpm2PcrRead - PcrSelectionOut->count error %x\n", PcrSelectionOut->count));

+    return EFI_DEVICE_ERROR;

+  }

+

   if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) {

     DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - RecvBufferSize Error - %x\n", RecvBufferSize));

     return EFI_DEVICE_ERROR;

@@ -390,6 +400,9 @@ Tpm2PcrRead (
   for (Index = 0; Index < PcrSelectionOut->count; Index++) {

     PcrSelectionOut->pcrSelections[Index].hash = SwapBytes16(RecvBuffer.PcrSelectionOut.pcrSelections[Index].hash);

     PcrSelectionOut->pcrSelections[Index].sizeofSelect = RecvBuffer.PcrSelectionOut.pcrSelections[Index].sizeofSelect;

+    if (PcrSelectionOut->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) {

+      return EFI_DEVICE_ERROR;

+    }

     CopyMem (&PcrSelectionOut->pcrSelections[Index].pcrSelect, &RecvBuffer.PcrSelectionOut.pcrSelections[Index].pcrSelect, PcrSelectionOut->pcrSelections[Index].sizeofSelect);

   }

 

@@ -398,9 +411,20 @@ Tpm2PcrRead (
   //

   PcrValuesOut = (TPML_DIGEST *)((UINT8 *)&RecvBuffer + sizeof (TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + sizeof(RecvBuffer.PcrSelectionOut.count) + sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count);

   PcrValues->count = SwapBytes32(PcrValuesOut->count);

+  //

+  // The number of digests in list is not greater than 8 per TPML_DIGEST definition

+  //

+  if (PcrValues->count > 8) {

+    DEBUG ((DEBUG_ERROR, "Tpm2PcrRead - PcrValues->count error %x\n", PcrValues->count));

+    return EFI_DEVICE_ERROR;

+  }

   Digests = PcrValuesOut->digests;

   for (Index = 0; Index < PcrValues->count; Index++) {

     PcrValues->digests[Index].size = SwapBytes16(Digests->size);

+    if (PcrValues->digests[Index].size > sizeof(TPMU_HA)) {

+      DEBUG ((DEBUG_ERROR, "Tpm2PcrRead - Digest.size error %x\n", PcrValues->digests[Index].size));

+      return EFI_DEVICE_ERROR;

+    }

     CopyMem (&PcrValues->digests[Index].buffer, &Digests->buffer, PcrValues->digests[Index].size);

     Digests = (TPM2B_DIGEST *)((UINT8 *)Digests + sizeof(Digests->size) + PcrValues->digests[Index].size);

   }

diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
index 9508022..14b1095 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
@@ -1,7 +1,7 @@
 /** @file

   Implement TPM2 NVStorage related command.

 

-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. <BR>

+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>

 This program and the accompanying materials

 are licensed and made available under the terms and conditions of the BSD License

 which accompanies this distribution.  The full text of the license may be found at

@@ -234,10 +234,19 @@ Tpm2NvReadPublic (
   // Basic check

   //

   NvPublicSize = SwapBytes16 (RecvBuffer.NvPublic.size);

+  if (NvPublicSize > sizeof(TPMS_NV_PUBLIC)) {

+    DEBUG ((DEBUG_ERROR, "Tpm2NvReadPublic - NvPublic.size error %x\n", NvPublicSize));

+    return EFI_DEVICE_ERROR;

+  }

+

   NvNameSize = SwapBytes16 (ReadUnaligned16 ((UINT16 *)((UINT8 *)&RecvBuffer + sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + NvPublicSize)));

+  if (NvNameSize > sizeof(TPMU_NAME)){

+    DEBUG ((DEBUG_ERROR, "Tpm2NvReadPublic - NvNameSize error %x\n", NvNameSize));

+    return EFI_DEVICE_ERROR;

+  }

 

   if (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + NvPublicSize + sizeof(UINT16) + NvNameSize) {

-    DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error - NvPublicSize %x, NvNameSize %x\n", RecvBufferSize, NvNameSize));

+    DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error - NvPublicSize %x\n", RecvBufferSize));

     return EFI_NOT_FOUND;

   }

 

@@ -632,6 +641,12 @@ Tpm2NvRead (
   // Return the response

   //

   OutData->size = SwapBytes16 (RecvBuffer.Data.size);

+  if (OutData->size > MAX_DIGEST_BUFFER) {

+    DEBUG ((DEBUG_ERROR, "Tpm2NvRead - OutData->size error %x\n", OutData->size));

+    Status = EFI_DEVICE_ERROR;

+    goto Done;

+  }

+

   CopyMem (OutData->buffer, &RecvBuffer.Data.buffer, OutData->size);

   

 Done:

diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
index 305b6f2..9087776 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c
@@ -1,7 +1,7 @@
 /** @file

   Implement TPM2 Sequences related command.

 

-Copyright (c) 2013, Intel Corporation. All rights reserved. <BR>

+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>

 This program and the accompanying materials

 are licensed and made available under the terms and conditions of the BSD License

 which accompanies this distribution.  The full text of the license may be found at

@@ -375,6 +375,11 @@ Tpm2EventSequenceComplete (
 

   // count

   Results->count = SwapBytes32(ReadUnaligned32 ((UINT32 *)BufferPtr));

+  if (Results->count > HASH_COUNT) {

+    DEBUG ((DEBUG_ERROR, "Tpm2EventSequenceComplete - Results->count error %x\n", Results->count));

+    return EFI_DEVICE_ERROR;

+  }

+

   BufferPtr += sizeof(UINT32);

 

   for (Index = 0; Index < Results->count; Index++) {

@@ -496,6 +501,11 @@ Tpm2SequenceComplete (
 

   // digestSize

   Result->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)BufferPtr));

+  if (Result->size > sizeof(TPMU_HA)){

+    DEBUG ((DEBUG_ERROR, "Tpm2SequenceComplete - Result->size error %x\n", Result->size));

+    return EFI_DEVICE_ERROR;

+  }

+

   BufferPtr += sizeof(UINT16);

 

   CopyMem(

diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
index f03b668..35ad86a 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c
@@ -1,7 +1,7 @@
 /** @file

   Implement TPM2 Session related command.

 

-Copyright (c) 2014, Intel Corporation. All rights reserved. <BR>

+Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved. <BR>

 This program and the accompanying materials

 are licensed and made available under the terms and conditions of the BSD License

 which accompanies this distribution.  The full text of the license may be found at

@@ -163,6 +163,11 @@ Tpm2StartAuthSession (
   //

   *SessionHandle = SwapBytes32 (RecvBuffer.SessionHandle);

   NonceTPM->size = SwapBytes16 (RecvBuffer.NonceTPM.size);

+  if (NonceTPM->size > sizeof(TPMU_HA)) {

+    DEBUG ((DEBUG_ERROR, "Tpm2StartAuthSession - NonceTPM->size error %x\n", NonceTPM->size));

+    return EFI_DEVICE_ERROR;

+  }

+

   CopyMem (NonceTPM->buffer, &RecvBuffer.NonceTPM.buffer, NonceTPM->size);

 

   return EFI_SUCCESS;