Bug with data marshaling in SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c - Githubissues

tianocore / edk2

EDK II

https://github.com/tianocore/tianocore.github.io/wiki/EDK-II

Other

4.38k stars 2.4k forks source link

Bug with data marshaling in SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c #5537

Open wmjdgla opened 3 months ago

wmjdgla commented 3 months ago

Tpm2PcrRead is doing a member-by-member copy of the input TPML_PCR_SELECTION parameter rather than marshaling it: https://github.com/tianocore/edk2/blob/b7f8779fe1f60113fdaab3b2f3f17c9f900b0456/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c#L359-L364 This results in the TPM2_PCR_READ_COMMAND bytes being malformed whenever sizeofSelect != PCR_SELECT_MAX.

Further down, Tpm2PcrAllocate also marshals an input TPML_PCR_SELECTION parameter and it is done correctly: https://github.com/tianocore/edk2/blob/b7f8779fe1f60113fdaab3b2f3f17c9f900b0456/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c#L515-L524

jyao1 commented 1 week ago

Yes, agree this is a bug. Do you want to propose a patch?