Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug with data unmarshaling and buffer read overrun in SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c #5509

Closed
wmjdgla opened this issue Apr 2, 2024 · 1 comment
Closed

Bug with data unmarshaling and buffer read overrun in SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c #5509

wmjdgla opened this issue Apr 2, 2024 · 1 comment

Comments

@wmjdgla
Copy link

wmjdgla commented Apr 2, 2024

edk2/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c

Lines 162 to 190 in 8f698f0

switch (OutPublic->publicArea.type) {
case TPM_ALG_KEYEDHASH:
OutPublic->publicArea.parameters.keyedHashDetail.scheme.scheme = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof (UINT16);
switch (OutPublic->publicArea.parameters.keyedHashDetail.scheme.scheme) {
case TPM_ALG_HMAC:
OutPublic->publicArea.parameters.keyedHashDetail.scheme.details.hmac.hashAlg = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof (UINT16);
break;
case TPM_ALG_XOR:
OutPublic->publicArea.parameters.keyedHashDetail.scheme.details.xor.hashAlg = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof (UINT16);
OutPublic->publicArea.parameters.keyedHashDetail.scheme.details.xor.kdf = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof (UINT16);
break;
default:
return EFI_UNSUPPORTED;
}
case TPM_ALG_SYMCIPHER:
OutPublic->publicArea.parameters.symDetail.algorithm = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof (UINT16);
switch (OutPublic->publicArea.parameters.symDetail.algorithm) {
case TPM_ALG_AES:
OutPublic->publicArea.parameters.symDetail.keyBits.aes = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof (UINT16);
OutPublic->publicArea.parameters.symDetail.mode.aes = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
Buffer += sizeof (UINT16);
break;

case TPM_ALG_KEYEDHASH is missing the break statement at the end (line 180), causing the code execution to flow to the next case (TPM_ALG_SYMCIPHER). OutPublic->publicArea.parameters.keyedHashDetail is a union with OutPublic->publicArea.parameters.symDetail, so this means the unmarshaled data in case TPM_ALG_KEYEDHASH would be overwritten in case TPM_ALG_SYMCIPHER.

In addition, the buffer pointer is advanced in each TPM_ALG_XXX case, so the incorrect flow through to case TPM_ALG_SYMCIPHER would advance buffer more than it should, causing subsequent unmarshalling to go beyond the correct bounds.
@jyao1
Copy link
Contributor

jyao1 commented Jun 28, 2024

Yes, agree this is a bug. Do you want to propose a patch?

zodf0055980 added a commit to zodf0055980/edk2 that referenced this issue Sep 2, 2024
@zodf0055980
SecurityPkg: Fix break missing at TPM_ALG_KEYEDHASH case
8501810 
According issue tianocore#5509, case TPM_ALG_KEYEDHASH is missing the break statement.

Signed-off-by: zodf0055980 <[email protected]>
@zodf0055980 zodf0055980 mentioned this issue Sep 2, 2024
Merged
3 tasks
mergify bot pushed a commit that referenced this issue Sep 2, 2024
@zodf0055980 @mergify
SecurityPkg: Fix break missing at TPM_ALG_KEYEDHASH case
a5f5432 
According issue #5509, case TPM_ALG_KEYEDHASH is missing the break statement.

Signed-off-by: zodf0055980 <[email protected]>
@jyao1 jyao1 closed this as completed Sep 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jyao1 @wmjdgla