Clear out the variable SmmCommunicateVerifyPassword which contains password
before goto Exit.
To avoid vulnerability.
Signed-off-by: Nayana Patel <nayana.pa...@intel.com>
---
.../UserAuthenticationDxeSmm/UserAuthenticationSmm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git
a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c
b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c
index 98f40c1812..ba01d599e0 100644
---
a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c
+++
b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c
@@ -555,6 +555,7 @@ SmmPasswordHandler (
if (PasswordLen == sizeof(SmmCommunicateVerifyPassword.Password)) {
DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: Password invalid!\n"));
Status = EFI_INVALID_PARAMETER;
+ ZeroMem (&SmmCommunicateVerifyPassword, sizeof
(SmmCommunicateVerifyPassword));
goto EXIT;
}
if (!IsPasswordVerified (UserGuid, SmmCommunicateVerifyPassword.Password,
PasswordLen + 1)) {
@@ -565,6 +566,7 @@ SmmPasswordHandler (
} else {
Status = EFI_SECURITY_VIOLATION;
}
+ ZeroMem (&SmmCommunicateVerifyPassword, sizeof
(SmmCommunicateVerifyPassword));
goto EXIT;
}
mPasswordVerified = TRUE;
--
2.39.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#116881): https://edk2.groups.io/g/devel/message/116881
Mute This Topic: https://groups.io/mt/105020521/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
