coreboot

Summary:¶

Memory corruption may occur in the TPM driver because variable-length TPM response payloads are not adequately validated before performing a memory copy operation.

Details:¶

The following code implements the NV Read operation. According to the TCG specification, this command ordinal may return a variable length response. Below, the 4-byte result_length, which is extracted from the response buffer, dictates the size of the variable-length response payload.

uint32_t tlcl_read(uint32_t index, void *data, uint32_t length)
{
    struct s_tpm_nv_read_cmd cmd;
    uint8_t response[TPM_LARGE_ENOUGH_COMMAND_SIZE];
    uint32_t result_length;
    ...
    memcpy(&cmd, &tpm_nv_read_cmd, sizeof(cmd));
    to_tpm_uint32(cmd.buffer + tpm_nv_read_cmd.index, index);
    to_tpm_uint32(cmd.buffer + tpm_nv_read_cmd.length, length);

    result = tlcl_send_receive(cmd.buffer, response, sizeof(response));
    if (result == TPM_SUCCESS && length > 0) {
        uint8_t *nv_read_cursor = response + kTpmResponseHeaderLength;
        from_tpm_uint32(nv_read_cursor, &result_length);
        nv_read_cursor += sizeof(uint32_t);
        memcpy(data, nv_read_cursor, result_length);
    }   
    ...
}

Later, result_length is used as the size argument to a memcpy() operation without adequate sanitization to ensure that it is not greater than the size of the destination buffer, data.

Recommendation:¶

Between the call to from_tpm_uint32() and memcpy() the result_length should be checked to ensure that it is not greater than length.