Clear out the variable SmmCommunicateVerifyPassword which contains password before goto Exit. To avoid vulnerability.
Signed-off-by: Nayana Patel <nayana.pa...@intel.com> --- .../UserAuthenticationDxeSmm/UserAuthenticationSmm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c index 98f40c1812..ba01d599e0 100644 --- a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c +++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c @@ -555,6 +555,7 @@ SmmPasswordHandler ( if (PasswordLen == sizeof(SmmCommunicateVerifyPassword.Password)) { DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: Password invalid!\n")); Status = EFI_INVALID_PARAMETER; + ZeroMem (&SmmCommunicateVerifyPassword, sizeof (SmmCommunicateVerifyPassword)); goto EXIT; } if (!IsPasswordVerified (UserGuid, SmmCommunicateVerifyPassword.Password, PasswordLen + 1)) { @@ -565,6 +566,7 @@ SmmPasswordHandler ( } else { Status = EFI_SECURITY_VIOLATION; } + ZeroMem (&SmmCommunicateVerifyPassword, sizeof (SmmCommunicateVerifyPassword)); goto EXIT; } mPasswordVerified = TRUE; -- 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#116881): https://edk2.groups.io/g/devel/message/116881 Mute This Topic: https://groups.io/mt/105020521/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-