Bug #157: Potential memory corruption when parsing NV Read response payload from TPM - coreboot - Issue Tracker

Actions

Copy link

Bug #157

closed

Potential memory corruption when parsing NV Read response payload from TPM

Added by Jeremy Boone about 6 years ago. Updated about 6 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Target version:

Start date:

02/09/2018

Due date:

% Done:

Estimated time:

Affected versions:

Needs backport to:

Affected hardware:

Affected OS:

Description

Summary:¶

Memory corruption may occur in the TPM driver because variable-length TPM response payloads are not adequately validated before performing a memory copy operation.

Details:¶

The following code implements the NV Read operation. According to the TCG specification, this command ordinal may return a variable length response. Below, the 4-byte result_length, which is extracted from the response buffer, dictates the size of the variable-length response payload.

uint32_t tlcl_read(uint32_t index, void *data, uint32_t length)
{
    struct s_tpm_nv_read_cmd cmd;
    uint8_t response[TPM_LARGE_ENOUGH_COMMAND_SIZE];
    uint32_t result_length;
    ...
    memcpy(&cmd, &tpm_nv_read_cmd, sizeof(cmd));
    to_tpm_uint32(cmd.buffer + tpm_nv_read_cmd.index, index);
    to_tpm_uint32(cmd.buffer + tpm_nv_read_cmd.length, length);

    result = tlcl_send_receive(cmd.buffer, response, sizeof(response));
    if (result == TPM_SUCCESS && length > 0) {
        uint8_t *nv_read_cursor = response + kTpmResponseHeaderLength;
        from_tpm_uint32(nv_read_cursor, &result_length);
        nv_read_cursor += sizeof(uint32_t);
        memcpy(data, nv_read_cursor, result_length);
    }   
    ...
}

Later, result_length is used as the size argument to a memcpy() operation without adequate sanitization to ensure that it is not greater than the size of the destination buffer, data.