Skip to content

MdeModulePkg : Clear keyboard queue buffer after reading #10964

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

MdeModulePkg : Clear keyboard queue buffer after reading #10964

wants to merge 1 commit into from
+9 −3

Conversation

NickWangInsyde
Copy link

Description

When entering a password, the password keystrokes are stored in a circular queue. This queue is not cleared after password entry, making it possible to snoop some or all of the password characters later by direct examination of the memory which was used as the circular queue, leading to possible information disclosure or escalation of privilege.

To prevent exposure of the password string, clear the queue buffer by filling it with zeros after reading.
BZ4760

  • Breaking change?
  • Impacts security?
    • Password keystrokes may be disclosed in memory.
  • Includes tests?

How This Was Tested

Modified HelloWorld UEFI shell application to peek the last user input keystroke data from keyboard queue buffer via the EFI_SIMPLE_TEXT_INPUT_PROTOCOL pointer. Ensure that the keystroke data in the keyboard queue buffer is cleared.
TestCode

Integration Instructions

N/A

@github-actions github-actions bot added the impact:security This change has a direct security impact such as changing a crypto algorithm. label Apr 15, 2025
@NickWangInsyde
MdeModulePkg : Clear keyboard queue buffer after reading
baa1875 
There is a possibility to retrieve user input keystroke data stored in the
queue buffer via the EFI_SIMPLE_TEXT_INPUT_PROTOCOL pointer. To prevent
exposure of the password string, clear the queue buffer by filling it
with zeros after reading.

Signed-off-by: Nick Wang <[email protected]>
@kevindavisinsyde
Copy link

Description

When entering a password, the password keystrokes are stored in a circular queue. This queue is not cleared after password entry, making it possible to snoop some or all of the password characters later by direct examination of the memory which was used as the circular queue, leading to possible information disclosure or escalation of privilege.

To prevent exposure of the password string, clear the queue buffer by filling it with zeros after reading. BZ4760

  • Breaking change?

  • Impacts security?

    • Password keystrokes may be disclosed in memory.

  • Includes tests?

How This Was Tested

Modified HelloWorld UEFI shell application to peek the last user input keystroke data from keyboard queue buffer via the EFI_SIMPLE_TEXT_INPUT_PROTOCOL pointer. Ensure that the keystroke data in the keyboard queue buffer is cleared. TestCode

Integration Instructions

N/A

@niruiyu @lgao4 can we get reviews & approved? Phoenix reviewed and agreed.

@mdkinney
Copy link
Member

This change looks like it may be incomplete. Are some of the same types of changes required in all SIMPLE_INPUT_* Protocol implementations. Such as all Serial/UART drivers and the ConSplitter?

Are there any drivers in edk2-platforms that need this update?

Should there be updates to the UEFI Driver Writer's Guide for Simple Input Protocol implementations?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lgao4 lgao4 lgao4 approved these changes

@niruiyu niruiyu Awaiting requested review from niruiyu

Assignees
No one assigned
Labels
impact:security This change has a direct security impact such as changing a crypto algorithm.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@NickWangInsyde @kevindavisinsyde @mdkinney @lgao4