Bug with data unmarshaling and buffer read overrun in SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c

[wmjdgla]

https://github.com/tianocore/edk2/blob/8f698f0a646124ede518d3e255ef725de1239639/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c#L162-L190

case TPM_ALG_KEYEDHASH is missing the break statement at the end (line 180), causing the code execution to flow to the next case (TPM_ALG_SYMCIPHER). OutPublic->publicArea.parameters.keyedHashDetail is a union with OutPublic->publicArea.parameters.symDetail, so this means the unmarshaled data in case TPM_ALG_KEYEDHASH would be overwritten in case TPM_ALG_SYMCIPHER.

In addition, the buffer pointer is advanced in each TPM_ALG_XXX case, so the incorrect flow through to case TPM_ALG_SYMCIPHER would advance buffer more than it should, causing subsequent unmarshalling to go beyond the correct bounds.

[jyao1]

Yes, agree this is a bug. Do you want to propose a patch?