Project

General

Profile

Actions

Bug #157

closed

Potential memory corruption when parsing NV Read response payload from TPM

Added by Jeremy Boone almost 7 years ago. Updated almost 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
02/09/2018
Due date:
% Done:

0%

Estimated time:
Affected versions:
Needs backport to:
Affected hardware:
Affected OS:

Description

Summary:

Memory corruption may occur in the TPM driver because variable-length TPM response payloads are not adequately validated before performing a memory copy operation.

Details:

The following code implements the NV Read operation. According to the TCG specification, this command ordinal may return a variable length response. Below, the 4-byte result_length, which is extracted from the response buffer, dictates the size of the variable-length response payload.

uint32_t tlcl_read(uint32_t index, void *data, uint32_t length)
{
    struct s_tpm_nv_read_cmd cmd;
    uint8_t response[TPM_LARGE_ENOUGH_COMMAND_SIZE];
    uint32_t result_length;
    ...
    memcpy(&cmd, &tpm_nv_read_cmd, sizeof(cmd));
    to_tpm_uint32(cmd.buffer + tpm_nv_read_cmd.index, index);
    to_tpm_uint32(cmd.buffer + tpm_nv_read_cmd.length, length);

    result = tlcl_send_receive(cmd.buffer, response, sizeof(response));
    if (result == TPM_SUCCESS && length > 0) {
        uint8_t *nv_read_cursor = response + kTpmResponseHeaderLength;
        from_tpm_uint32(nv_read_cursor, &result_length);
        nv_read_cursor += sizeof(uint32_t);
        memcpy(data, nv_read_cursor, result_length);
    }   
    ...
}

Later, result_length is used as the size argument to a memcpy() operation without adequate sanitization to ensure that it is not greater than the size of the destination buffer, data.

Recommendation:

Between the call to from_tpm_uint32() and memcpy() the result_length should be checked to ensure that it is not greater than length.

Actions #1

Updated by Philipp Deppenwiese almost 7 years ago

  • Status changed from New to Resolved
Actions

Also available in: Atom PDF