KeyLibGenerateSalt function Failure to check return State (Bugzilla Bug 4649)

[tianocore-issues]

This issue was created automatically with bugzilla2github

Bugzilla Bug 4649

Date: 2024-01-17T01:59:36+00:00
From: tabassum.yasmin
To: unassigned <>
CC: @lgao4

Last updated: 2024-01-30T21:46:07+00:00

[tianocore-issues]

Comment 22378

Date: 2024-01-17 01:59:36 +0000
From: tabassum.yasmin

• Industry Specification: ---
• Release Observed: edk2-stable202305
• Releases to Fix: edk2-stable202305
• Target OS: ---
• Bugzilla Assignee(s): unassigned <>

The KeyLibGenerateSalt function fails to check the return value of RandomSeed and RandomBytes function
calls.
SavePasswordToVariable function also fails to check the status of calling function KeyLibGenerateSalt

Snippet below

EFI_STATUS
SavePasswordToVariable (
IN EFI_GUID *UserGuid,
IN CHAR8 *Password, OPTIONAL
IN UINTN PasswordSize
)
{
EFI_STATUS Status;
USER_PASSWORD_VAR_STRUCT UserPasswordVarStruct;
BOOLEAN HashOk;
//
// If password is NULL, it means we want to clean password field saved in variable region.
//
if (Password != NULL) {
KeyLibGenerateSalt (UserPasswordVarStruct.PasswordSalt, sizeof(UserPasswordVarStruct.PasswordSalt));

BOOLEAN
EFIAPI
KeyLibGenerateSalt (
IN OUT UINT8 *SaltValue,
IN UINTN SaltSize
)
{
if (SaltValue == NULL) {
return FALSE;
}
RandomSeed(NULL, 0);
RandomBytes(SaltValue, SaltSize);
return TRUE;
}

[tianocore-issues]

Comment 22459

Date: 2024-01-30 21:46:07 +0000
From: @lgao4

[email protected]: please work on it.