Hi Jiewen, Jiang, Chao,

Could you help review the change.

Best Regards
Guomin

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Guomin
> Jiang
> Sent: Wednesday, April 1, 2020 9:11 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen....@intel.com>; Wang, Jian J
> <jian.j.w...@intel.com>; Zhang, Chao B <chao.b.zh...@intel.com>
> Subject: [edk2-devel] [PATCH] SecurityPkg/MeasureBootLib: Return
> EFI_ACCESS_DENIED after image check fail
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2652
> 
> If check the File at the begin of function, it will only allow the File is 
> present
> and forbid image from buffer.
> It is possible that image come from the memory buffer, so make it can run
> and check the File after it.
> It is improvement for 4b026f0d5af36faf3a3629a3ad49c51b5b3be12f.
> 
> Cc: Jiewen Yao <jiewen....@intel.com>
> Cc: Jian J Wang <jian.j.w...@intel.com>
> Cc: Chao Zhang <chao.b.zh...@intel.com>
> Signed-off-by: Guomin Jiang <guomin.ji...@intel.com>
> ---
>  .../DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c  | 14 +++++++-----
> --
>  .../DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c    | 14 +++++++------
> -
>  2 files changed, 14 insertions(+), 14 deletions(-)
> 
> diff --git
> a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.
> c
> b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.
> c
> index f0e95e5ec0..fdb4758cbe 100644
> ---
> a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.
> c
> +++
> b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.
> c
> @@ -435,13 +435,6 @@ DxeTpm2MeasureBootHandler (
>    EFI_PHYSICAL_ADDRESS                FvAddress;   UINT32                    
>           Index; -
> //-  // Check for invalid parameters.-  //-  if (File == NULL) {-    return
> EFI_ACCESS_DENIED;-  }-   Status = gBS->LocateProtocol
> (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);   if (EFI_ERROR
> (Status)) {     //@@ -615,6 +608,13 @@ DxeTpm2MeasureBootHandler (
>    //   Status = PeCoffLoaderGetImageInfo (&ImageContext);   if (EFI_ERROR
> (Status)) {+    //+    // Check for invalid parameters.+    //+    if (File 
> == NULL) {+
> Status = EFI_ACCESS_DENIED;+    }+     //     // The information can't be got
> from the invalid PeImage     //diff --git
> a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
> b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
> index d499371e7a..20f7d94d6b 100644
> ---
> a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
> +++
> b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
> @@ -732,13 +732,6 @@ DxeTpmMeasureBootHandler (
>    EFI_PHYSICAL_ADDRESS                FvAddress;   UINT32                    
>           Index; -
> //-  // Check for invalid parameters.-  //-  if (File == NULL) {-    return
> EFI_ACCESS_DENIED;-  }-   Status = gBS->LocateProtocol
> (&gEfiTcgProtocolGuid, NULL, (VOID **) &TcgProtocol);   if (EFI_ERROR
> (Status)) {     //@@ -912,6 +905,13 @@ DxeTpmMeasureBootHandler (
>    //   Status = PeCoffLoaderGetImageInfo (&ImageContext);   if (EFI_ERROR
> (Status)) {+    //+    // Check for invalid parameters.+    //+    if (File 
> == NULL) {+
> return EFI_ACCESS_DENIED;+    }+     //     // The information can't be got 
> from
> the invalid PeImage     //--
> 2.25.1.windows.1
> 
> 
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> 
> View/Reply Online (#56805): https://edk2.groups.io/g/devel/message/56805
> Mute This Topic: https://groups.io/mt/72691331/4399222
> Group Owner: devel+ow...@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub
> [guomin.ji...@intel.com] -=-=-=-=-=-=


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#57051): https://edk2.groups.io/g/devel/message/57051
Mute This Topic: https://groups.io/mt/72691331/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to