case TPM_ALG_KEYEDHASH is missing the break statement at the end (line 180), causing the code execution to flow to the next case (TPM_ALG_SYMCIPHER). OutPublic->publicArea.parameters.keyedHashDetail is a union with OutPublic->publicArea.parameters.symDetail, so this means the unmarshaled data in case TPM_ALG_KEYEDHASH would be overwritten in case TPM_ALG_SYMCIPHER.
In addition, the buffer pointer is advanced in each TPM_ALG_XXX case, so the incorrect flow through to case TPM_ALG_SYMCIPHER would advance buffer more than it should, causing subsequent unmarshalling to go beyond the correct bounds.
https://github.com/tianocore/edk2/blob/8f698f0a646124ede518d3e255ef725de1239639/SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c#L162-L190
case TPM_ALG_KEYEDHASH
is missing the break statement at the end (line 180), causing the code execution to flow to the next case (TPM_ALG_SYMCIPHER
).OutPublic->publicArea.parameters.keyedHashDetail
is a union withOutPublic->publicArea.parameters.symDetail
, so this means the unmarshaled data incase TPM_ALG_KEYEDHASH
would be overwritten incase TPM_ALG_SYMCIPHER
.In addition, the
buffer
pointer is advanced in eachTPM_ALG_XXX
case, so the incorrect flow through tocase TPM_ALG_SYMCIPHER
would advancebuffer
more than it should, causing subsequent unmarshalling to go beyond the correct bounds.