From 034d5762be6e95e948c6827149dc0745ba82c659 Mon Sep 17 00:00:00 2001 From: Miroslav Rezanina Date: Tue, 4 Apr 2023 09:25:29 -0400 Subject: [PATCH] Branch synchronization with RHEL 8.8.0 --- .gitignore | 5 +- ...of-buffer-before-accessing-it-CVE-20.patch | 52 +++++++++++++++++++ ...-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch | 37 ------------- ...Fix-size-check-in-CryptSecretDecrypt.patch | 31 ----------- gating.yaml | 8 --- libtpms.spec | 8 ++- make-git-snapshot.sh | 1 - 7 files changed, 63 insertions(+), 79 deletions(-) create mode 100644 0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch delete mode 100644 0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch delete mode 100644 0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch delete mode 100644 gating.yaml diff --git a/.gitignore b/.gitignore index 45ecc95..22446cf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,5 @@ +/libtpms-20191018.tar.xz +/libtpms-20200527.tar.xz +/libtpms-20200818.tar.xz +/libtpms-20201106.tar.xz SOURCES/libtpms-20211126.tar.xz -/libtpms-20211126.tar.xz diff --git a/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch b/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch new file mode 100644 index 0000000..488f433 --- /dev/null +++ b/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch @@ -0,0 +1,52 @@ +From 324dbb4c27ae789c73b69dbf4611242267919dd4 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 20 Feb 2023 14:41:10 -0500 +Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017 + & -1018) + +Check that there are sufficient bytes in the buffer before reading the +cipherSize from it. Also, reduce the bufferSize variable by the number +of bytes that make up the cipherSize to avoid reading and writing bytes +beyond the buffer in subsequent steps that do in-place decryption. + +This fixes CVE-2023-1017 & CVE-2023-1018. + +Signed-off-by: Stefan Berger +--- + src/tpm2/CryptUtil.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c +index 002fde0..8fae5b6 100644 +--- a/src/tpm2/CryptUtil.c ++++ b/src/tpm2/CryptUtil.c +@@ -830,6 +830,10 @@ CryptParameterDecryption( + + sizeof(session->sessionKey.t.buffer))); + TPM2B_HMAC_KEY key; // decryption key + UINT32 cipherSize = 0; // size of cipher text ++ ++ if (leadingSizeInByte > bufferSize) ++ return TPM_RC_INSUFFICIENT; ++ + // Retrieve encrypted data size. + if(leadingSizeInByte == 2) + { +@@ -837,6 +841,7 @@ CryptParameterDecryption( + // data to be decrypted + cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer); + buffer = &buffer[2]; // advance the buffer ++ bufferSize -= 2; + } + #ifdef TPM4B + else if(leadingSizeInByte == 4) +@@ -844,6 +849,7 @@ CryptParameterDecryption( + // the leading size is four bytes so get the four byte size field + cipherSize = BYTE_ARRAY_TO_UINT32(buffer); + buffer = &buffer[4]; //advance pointer ++ bufferSize -= 4; + } + #endif + else +-- +2.39.2 + diff --git a/0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch b/0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch deleted file mode 100644 index d39b0fb..0000000 --- a/0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch +++ /dev/null @@ -1,37 +0,0 @@ -From e4261984374556da65c9d46097d5a1200b335c0c Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Sat, 19 Feb 2022 12:59:32 +0100 -Subject: [PATCH] tpm2: Do not call EVP_PKEY_CTX_set0_rsa_oaep_label() for - label of size 0 (OSSL 3) - -Openssl 3.0 did return an error if EVP_PKEY_CTX_set0_rsa_oaep_label was called -with label size 0. The function should only be called if the size of the label -is greater 0. -With this fix TPM2_RSA_Encrypt/Decrypt did work with OpenSSL 1.1 and 3.0 -for encryption without label. - -Signed-off-by: Juergen Repp ---- - src/tpm2/crypto/openssl/CryptRsa.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/src/tpm2/crypto/openssl/CryptRsa.c b/src/tpm2/crypto/openssl/CryptRsa.c -index 4ed04384feb0..b5d6b6c3be82 100644 ---- a/src/tpm2/crypto/openssl/CryptRsa.c -+++ b/src/tpm2/crypto/openssl/CryptRsa.c -@@ -1356,10 +1356,9 @@ CryptRsaEncrypt( - if (tmp == NULL) - ERROR_RETURN(TPM_RC_FAILURE); - memcpy(tmp, label->buffer, label->size); -+ if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, tmp, label->size) <= 0) -+ ERROR_RETURN(TPM_RC_FAILURE); - } -- // label->size == 0 is supported -- if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, tmp, label->size) <= 0) -- ERROR_RETURN(TPM_RC_FAILURE); - tmp = NULL; - break; - default: --- -2.36.0.44.g0f828332d5ac - diff --git a/0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch b/0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch deleted file mode 100644 index a886ee8..0000000 --- a/0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 3d2bbe2f1947784506ba0a7f9e8ab81eefb69929 Mon Sep 17 00:00:00 2001 -From: Ross Lagerwall -Date: Mon, 23 May 2022 14:16:57 +0100 -Subject: [PATCH] tpm2: Fix size check in CryptSecretDecrypt - -Check the secret size against the size of the buffer, not the size -member that has not been set yet. - -Reported by Coverity. - -Signed-off-by: Ross Lagerwall ---- - src/tpm2/CryptUtil.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c -index 9879f918acb6..002fde0987a9 100644 ---- a/src/tpm2/CryptUtil.c -+++ b/src/tpm2/CryptUtil.c -@@ -732,7 +732,7 @@ CryptSecretDecrypt( - nonceCaller->t.size); - } - // make sure secret will fit -- if(secret->t.size > data->t.size) -+ if(secret->t.size > sizeof(data->t.buffer)) - return TPM_RC_FAILURE; - data->t.size = secret->t.size; - // CFB decrypt, using nonceCaller as iv --- -2.36.0.44.g0f828332d5ac - diff --git a/gating.yaml b/gating.yaml deleted file mode 100644 index 32285f9..0000000 --- a/gating.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# recipients: kvmqe-ci, yfu, qcheng ---- !Policy -product_versions: - - rhel-9 -decision_context: osci_compose_gate -subject_type: brew-build -rules: - - !PassingTestCaseRule {test_case_name: kvm-ci.libtpms.x86_64.brew-build.gating.tier1.functional} diff --git a/libtpms.spec b/libtpms.spec index e106280..92e010d 100644 --- a/libtpms.spec +++ b/libtpms.spec @@ -3,7 +3,7 @@ Name: libtpms Version: 0.9.1 -Release: 1.%{gitdate}git%{gitversion}%{?dist} +Release: 2.%{gitdate}git%{gitversion}%{?dist} Summary: Library providing Trusted Platform Module (TPM) functionality License: BSD @@ -11,6 +11,7 @@ Url: http://github.com/stefanberger/libtpms Source0: libtpms-%{gitdate}.tar.xz ExcludeArch: i686 Patch0003: 0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch +Patch0004: 0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch BuildRequires: openssl-devel BuildRequires: pkgconfig gawk sed @@ -58,6 +59,11 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || : %{_mandir}/man3/* %changelog +* Tue Mar 21 2023 Marc-André Lureau - 0.9.1-2.20211126git1ff6fe1f43 +- Backport "tpm2: Check size of buffer before accessing it" (CVE-2023-1017 & CVE-2023-1018) + Resolves: rhbz#2173964 + Resolves: rhbz#2173970 + * Thu Jul 28 2022 Marc-André Lureau - 0.9.1-1.20211126git1ff6fe1f43 - Backport s_ContextSlotMask initialization fix Resolves: rhbz#2111433 diff --git a/make-git-snapshot.sh b/make-git-snapshot.sh index 999a2a5..79e161d 100755 --- a/make-git-snapshot.sh +++ b/make-git-snapshot.sh @@ -16,7 +16,6 @@ rm -rf $DIRNAME git clone ${REF:+--reference $REF} \ https://github.com/stefanberger/libtpms $DIRNAME -set -x GIT_DIR=$DIRNAME/.git git archive --format=tar --prefix=$DIRNAME/ ${1:-HEAD} \ | xz > $DIRNAME.tar.xz