Re: [edk2] [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow

[Zhang, Chao B]

Good catch！ Jiewen, I will add more check in CopyAuthSessionResponse()

From: Yao, Jiewen
Sent: Wednesday, March 21, 2018 2:39 PM
To: Zhang, Chao B ; Long, Qin ; 
edk2-devel@lists.01.org
Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory 
overflow

Some thought:

1) Would you please add debug message on every error check you added? Just like 
the original code does.

2) For below, can we separate the check, and add error message for each failure?
Tpm2Integrity.c:
  if (PcrSelectionOut->count > HASH_COUNT || RecvBufferSize < sizeof 
(TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + 
sizeof(RecvBuffer.PcrSelectionOut.count) + 
sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) {
DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - Digests->count -%x or RecvBufferSize 
Error - %x\n", PcrSelectionOut->count, RecvBufferSize));
return EFI_DEVICE_ERROR;
  }

3) For below, can we separate the check, and add error message for each failure?
Tpm2NvStorage.c
  if (NvNameSize > sizeof(TPMU_NAME) ||
  (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + 
NvPublicSize + sizeof(UINT16) + NvNameSize)) {
DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error - 
NvPublicSize %x, NvNameSize %x\n", RecvBufferSize, NvNameSize));
return EFI_NOT_FOUND;
  }


4) Do you think if we need add check for nonce.size below as well?
Tpm2Help.c

  // nonce
  AuthSessionOut->nonce.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
  Buffer += sizeof(UINT16);

  CopyMem (AuthSessionOut->nonce.buffer, Buffer, AuthSessionOut->nonce.size);
  Buffer += AuthSessionOut->nonce.size;


Thank you
Yao Jiewen


> -Original Message-
> From: Zhang, Chao B
> Sent: Wednesday, March 21, 2018 11:03 AM
> To: Long, Qin >; 
> edk2-devel@lists.01.org
> Cc: Yao, Jiewen >
> Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response
> memory overflow
>
> Thanks Qin, I will add more comments to explain the magic code
>
> -Original Message-
> From: Long, Qin
> Sent: Wednesday, March 21, 2018 10:58 AM
> To: Zhang, Chao B >; 
> edk2-devel@lists.01.org
> Cc: Yao, Jiewen >
> Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response
> memory overflow
>
> Hi, Chao,
>
> One minor suggestion to add the comment to explain the following value "8": 
> the
> number of digests in list is not greater than 8 per TPML_DIGEST definition.
> +  if (PcrValues->count > 8) {
> +return EFI_DEVICE_ERROR;
> +  }
>
> Other looks good to me.
>
> Reviewed-by: Long Qin >
>
>
> Best Regards & Thanks,
> LONG, Qin
>
> -Original Message-
> From: Zhang, Chao B
> Sent: Tuesday, March 20, 2018 4:36 PM
> To: edk2-devel@lists.01.org
> Cc: Long, Qin >; Yao, Jiewen 
> >;
> Zhang, Chao B >
> Subject: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory
> overflow
>
> TPM2.0 command lib always assumes TPM device and transmission channel can
> respond correctly. But it is not true when communication channel is exploited
> and wrong data is spoofed. Add more logic to prohibit memory overflow attack.
>
> Cc: Long Qin >
> Cc: Yao Jiewen >
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Chao Zhang 
> >
> Signed-off-by: Zhang, Chao B 
> >
> ---
>  .../Library/Tpm2CommandLib/Tpm2Capability.c| 21
> ++-
>  .../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 16 ++-
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 19 ++---
> SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 14 --
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c| 31
> +-
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c | 10 ++-
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c   |  6 -
>  7 files changed, 107 insertions(+), 10 deletions(-)
>
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
> index 79e80fb7a9..42afe107a6 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
> @@ -1,9 +1,9 @@
>  /** @file
>Implement TPM2 Capability related command.
>
> -Copyright (c) 2013 - 2016, Intel Corporation. All rights 

Re: [edk2] [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow

[Yao, Jiewen]

Some thought:

1) Would you please add debug message on every error check you added? Just like 
the original code does.

2) For below, can we separate the check, and add error message for each failure?
Tpm2Integrity.c:
  if (PcrSelectionOut->count > HASH_COUNT || RecvBufferSize < sizeof 
(TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + 
sizeof(RecvBuffer.PcrSelectionOut.count) + 
sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) {
DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - Digests->count -%x or RecvBufferSize 
Error - %x\n", PcrSelectionOut->count, RecvBufferSize));
return EFI_DEVICE_ERROR;
  }

3) For below, can we separate the check, and add error message for each failure?
Tpm2NvStorage.c
  if (NvNameSize > sizeof(TPMU_NAME) ||
  (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + 
NvPublicSize + sizeof(UINT16) + NvNameSize)) {
DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error - 
NvPublicSize %x, NvNameSize %x\n", RecvBufferSize, NvNameSize));
return EFI_NOT_FOUND;
  }


4) Do you think if we need add check for nonce.size below as well?
Tpm2Help.c

  // nonce
  AuthSessionOut->nonce.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
  Buffer += sizeof(UINT16);

  CopyMem (AuthSessionOut->nonce.buffer, Buffer, AuthSessionOut->nonce.size);
  Buffer += AuthSessionOut->nonce.size;


Thank you
Yao Jiewen


> -Original Message-
> From: Zhang, Chao B
> Sent: Wednesday, March 21, 2018 11:03 AM
> To: Long, Qin ; edk2-devel@lists.01.org
> Cc: Yao, Jiewen 
> Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response
> memory overflow
> 
> Thanks Qin, I will add more comments to explain the magic code
> 
> -Original Message-
> From: Long, Qin
> Sent: Wednesday, March 21, 2018 10:58 AM
> To: Zhang, Chao B ; edk2-devel@lists.01.org
> Cc: Yao, Jiewen 
> Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response
> memory overflow
> 
> Hi, Chao,
> 
> One minor suggestion to add the comment to explain the following value "8": 
> the
> number of digests in list is not greater than 8 per TPML_DIGEST definition.
> +  if (PcrValues->count > 8) {
> +return EFI_DEVICE_ERROR;
> +  }
> 
> Other looks good to me.
> 
> Reviewed-by: Long Qin 
> 
> 
> Best Regards & Thanks,
> LONG, Qin
> 
> -Original Message-
> From: Zhang, Chao B
> Sent: Tuesday, March 20, 2018 4:36 PM
> To: edk2-devel@lists.01.org
> Cc: Long, Qin ; Yao, Jiewen ;
> Zhang, Chao B 
> Subject: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory
> overflow
> 
> TPM2.0 command lib always assumes TPM device and transmission channel can
> respond correctly. But it is not true when communication channel is exploited
> and wrong data is spoofed. Add more logic to prohibit memory overflow attack.
> 
> Cc: Long Qin 
> Cc: Yao Jiewen 
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Chao Zhang 
> Signed-off-by: Zhang, Chao B 
> ---
>  .../Library/Tpm2CommandLib/Tpm2Capability.c| 21
> ++-
>  .../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 16 ++-
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 19 ++---
> SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 14 --
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c| 31
> +-
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c | 10 ++-
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c   |  6 -
>  7 files changed, 107 insertions(+), 10 deletions(-)
> 
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
> index 79e80fb7a9..42afe107a6 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
> @@ -1,9 +1,9 @@
>  /** @file
>Implement TPM2 Capability related command.
> 
> -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. 
> +Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. 
>  This program and the accompanying materials  are licensed and made
> available under the terms and conditions of the BSD License  which
> accompanies this distribution.  The full text of the license may be found at
> http://opensource.org/licenses/bsd-license.php
> 
> @@ -110,10 +110,18 @@ Tpm2GetCapability (
> 
>if (RecvBufferSize <= sizeof (TPM2_RESPONSE_HEADER) + sizeof (UINT8)) {
>  return EFI_DEVICE_ERROR;
>}
> 
> +  //
> +  // Fail if command failed
> +  //
> +  if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {
> +DEBUG ((EFI_D_ERROR, "Tpm2GetCapability: Response Code error!
> 0x%08x\r\n", 

Re: [edk2] [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow

[Zhang, Chao B]

Thanks Qin, I will add more comments to explain the magic code

-Original Message-
From: Long, Qin 
Sent: Wednesday, March 21, 2018 10:58 AM
To: Zhang, Chao B ; edk2-devel@lists.01.org
Cc: Yao, Jiewen 
Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory 
overflow

Hi, Chao,

One minor suggestion to add the comment to explain the following value "8": the 
number of digests in list is not greater than 8 per TPML_DIGEST definition. 
+  if (PcrValues->count > 8) {
+return EFI_DEVICE_ERROR;
+  }

Other looks good to me. 

Reviewed-by: Long Qin 


Best Regards & Thanks,
LONG, Qin

-Original Message-
From: Zhang, Chao B
Sent: Tuesday, March 20, 2018 4:36 PM
To: edk2-devel@lists.01.org
Cc: Long, Qin ; Yao, Jiewen ; Zhang, 
Chao B 
Subject: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow

TPM2.0 command lib always assumes TPM device and transmission channel can 
respond correctly. But it is not true when communication channel is exploited 
and wrong data is spoofed. Add more logic to prohibit memory overflow attack.

Cc: Long Qin 
Cc: Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang 
Signed-off-by: Zhang, Chao B 
---
 .../Library/Tpm2CommandLib/Tpm2Capability.c| 21 ++-
 .../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 16 ++-
 SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 19 ++---  
SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 14 --
 SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c| 31 +-
 SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c | 10 ++-
 SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c   |  6 -
 7 files changed, 107 insertions(+), 10 deletions(-)

diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c 
b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
index 79e80fb7a9..42afe107a6 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
@@ -1,9 +1,9 @@
 /** @file
   Implement TPM2 Capability related command.
 
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. 
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. 
 This program and the accompanying materials  are licensed and made available 
under the terms and conditions of the BSD License  which accompanies this 
distribution.  The full text of the license may be found at  
http://opensource.org/licenses/bsd-license.php
 
@@ -110,10 +110,18 @@ Tpm2GetCapability (
 
   if (RecvBufferSize <= sizeof (TPM2_RESPONSE_HEADER) + sizeof (UINT8)) {
 return EFI_DEVICE_ERROR;
   }
 
+  //
+  // Fail if command failed
+  //
+  if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {
+DEBUG ((EFI_D_ERROR, "Tpm2GetCapability: Response Code error! 0x%08x\r\n", 
SwapBytes32(RecvBuffer.Header.responseCode)));
+return EFI_DEVICE_ERROR;
+  }
+
   //
   // Return the response
   //
   *MoreData = RecvBuffer.MoreData;
   //
@@ -327,10 +335,14 @@ Tpm2GetCapabilitySupportedAlg (
   }
   
   CopyMem (AlgList, , sizeof (TPML_ALG_PROPERTY));
 
   AlgList->count = SwapBytes32 (AlgList->count);
+  if (AlgList->count > MAX_CAP_ALGS) {
+return EFI_DEVICE_ERROR;
+  }
+
   for (Index = 0; Index < AlgList->count; Index++) {
 AlgList->algProperties[Index].alg = SwapBytes16 
(AlgList->algProperties[Index].alg);
 WriteUnaligned32 ((UINT32 *)>algProperties[Index].algProperties, 
SwapBytes32 (ReadUnaligned32 ((UINT32 
*)>algProperties[Index].algProperties)));
   }
 
@@ -474,13 +486,20 @@ Tpm2GetCapabilityPcrs (
   if (EFI_ERROR (Status)) {
 return Status;
   }
 
   Pcrs->count = SwapBytes32 (TpmCap.data.assignedPCR.count);
+  if (Pcrs->count > HASH_COUNT) {
+return EFI_DEVICE_ERROR;
+  }
+
   for (Index = 0; Index < Pcrs->count; Index++) {
 Pcrs->pcrSelections[Index].hash = SwapBytes16 
(TpmCap.data.assignedPCR.pcrSelections[Index].hash);
 Pcrs->pcrSelections[Index].sizeofSelect = 
TpmCap.data.assignedPCR.pcrSelections[Index].sizeofSelect;
+if (Pcrs->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) {
+  return EFI_DEVICE_ERROR;
+}
 CopyMem (Pcrs->pcrSelections[Index].pcrSelect, 
TpmCap.data.assignedPCR.pcrSelections[Index].pcrSelect, 
Pcrs->pcrSelections[Index].sizeofSelect);
   }
 
   return EFI_SUCCESS;
 }
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c 
b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
index 6f6b3693f8..3e42875b83 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
@@ -1,9 +1,9 @@
 /** @file
   Implement TPM2 EnhancedAuthorization 

Re: [edk2] [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow

[Long, Qin]

Hi, Chao,

One minor suggestion to add the comment to explain the following value "8": the 
number of digests in list is not greater than 8 per TPML_DIGEST definition. 
+  if (PcrValues->count > 8) {
+return EFI_DEVICE_ERROR;
+  }

Other looks good to me. 

Reviewed-by: Long Qin 


Best Regards & Thanks,
LONG, Qin

-Original Message-
From: Zhang, Chao B 
Sent: Tuesday, March 20, 2018 4:36 PM
To: edk2-devel@lists.01.org
Cc: Long, Qin ; Yao, Jiewen ; Zhang, 
Chao B 
Subject: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow

TPM2.0 command lib always assumes TPM device and transmission channel can 
respond correctly. But it is not true when communication channel is exploited 
and wrong data is spoofed. Add more logic to prohibit memory overflow attack.

Cc: Long Qin 
Cc: Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang 
Signed-off-by: Zhang, Chao B 
---
 .../Library/Tpm2CommandLib/Tpm2Capability.c| 21 ++-
 .../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 16 ++-
 SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 19 ++---  
SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 14 --
 SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c| 31 +-
 SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c | 10 ++-
 SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c   |  6 -
 7 files changed, 107 insertions(+), 10 deletions(-)

diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c 
b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
index 79e80fb7a9..42afe107a6 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
@@ -1,9 +1,9 @@
 /** @file
   Implement TPM2 Capability related command.
 
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. 
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. 
 This program and the accompanying materials  are licensed and made available 
under the terms and conditions of the BSD License  which accompanies this 
distribution.  The full text of the license may be found at  
http://opensource.org/licenses/bsd-license.php
 
@@ -110,10 +110,18 @@ Tpm2GetCapability (
 
   if (RecvBufferSize <= sizeof (TPM2_RESPONSE_HEADER) + sizeof (UINT8)) {
 return EFI_DEVICE_ERROR;
   }
 
+  //
+  // Fail if command failed
+  //
+  if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {
+DEBUG ((EFI_D_ERROR, "Tpm2GetCapability: Response Code error! 0x%08x\r\n", 
SwapBytes32(RecvBuffer.Header.responseCode)));
+return EFI_DEVICE_ERROR;
+  }
+
   //
   // Return the response
   //
   *MoreData = RecvBuffer.MoreData;
   //
@@ -327,10 +335,14 @@ Tpm2GetCapabilitySupportedAlg (
   }
   
   CopyMem (AlgList, , sizeof (TPML_ALG_PROPERTY));
 
   AlgList->count = SwapBytes32 (AlgList->count);
+  if (AlgList->count > MAX_CAP_ALGS) {
+return EFI_DEVICE_ERROR;
+  }
+
   for (Index = 0; Index < AlgList->count; Index++) {
 AlgList->algProperties[Index].alg = SwapBytes16 
(AlgList->algProperties[Index].alg);
 WriteUnaligned32 ((UINT32 *)>algProperties[Index].algProperties, 
SwapBytes32 (ReadUnaligned32 ((UINT32 
*)>algProperties[Index].algProperties)));
   }
 
@@ -474,13 +486,20 @@ Tpm2GetCapabilityPcrs (
   if (EFI_ERROR (Status)) {
 return Status;
   }
 
   Pcrs->count = SwapBytes32 (TpmCap.data.assignedPCR.count);
+  if (Pcrs->count > HASH_COUNT) {
+return EFI_DEVICE_ERROR;
+  }
+
   for (Index = 0; Index < Pcrs->count; Index++) {
 Pcrs->pcrSelections[Index].hash = SwapBytes16 
(TpmCap.data.assignedPCR.pcrSelections[Index].hash);
 Pcrs->pcrSelections[Index].sizeofSelect = 
TpmCap.data.assignedPCR.pcrSelections[Index].sizeofSelect;
+if (Pcrs->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) {
+  return EFI_DEVICE_ERROR;
+}
 CopyMem (Pcrs->pcrSelections[Index].pcrSelect, 
TpmCap.data.assignedPCR.pcrSelections[Index].pcrSelect, 
Pcrs->pcrSelections[Index].sizeofSelect);
   }
 
   return EFI_SUCCESS;
 }
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c 
b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
index 6f6b3693f8..3e42875b83 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
@@ -1,9 +1,9 @@
 /** @file
   Implement TPM2 EnhancedAuthorization related command.
 
-Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved. 
+Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved. 
 This program and the accompanying materials  are licensed and made available 
under the terms and conditions of the BSD License  which accompanies this 
distribution.  The full text of the